Postfix Error w/ TLS & SASL Enabled

carlosinfl · 03-03-2010, 10:34 AM

I have Postfix up and working perfect. It receives and sends email fine with no TLS and SASL but I installed Dovecot and then generated some self signed certificates using 'openssl' and for some reason I can't send from my IMAP server. I get this in my logs:

Code:

Mar  3 11:20:45 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=10.1.1.204, lip=192.168.0.200, TLS
Mar  3 11:21:20 mail postfix/smtpd[1386]: connect from tuna.mydomain.tld[10.1.1.204]
Mar  3 11:21:20 mail postfix/smtpd[1386]: setting up TLS connection from tuna.mydomain.tld[10.1.1.204]
Mar  3 11:21:20 mail postfix/smtpd[1386]: SSL_accept error from tuna.mydomain.tld[10.1.1.204]: 0
Mar  3 11:21:20 mail postfix/smtpd[1386]: warning: TLS library problem: 1386:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1061:SSL alert number 48:
Mar  3 11:21:20 mail postfix/smtpd[1386]: lost connection after STARTTLS from tuna.mydomain.tld[10.1.1.204]
Mar  3 11:21:20 mail postfix/smtpd[1386]: disconnect from tuna.mydomain.tld[10.1.1.204]

Does anyone know what could be causing this issue? I don't show any other errors in my logs but I am watching them over and over. Postfix receives mail perfect and I can send in plain text with no TLS enabled. Below is my output of 'postconf -n':

Code:

alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 4h
home_mailbox = mail/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamunix.com
myhostname = mail.iamunix.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relayhost = 
sample_directory = /etc/postfix/sample
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_helo_timeout = 60s
smtp_sasl_auth_enable = yes
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_recipient_restrictions = permit_sasl_authenticated,		permit_mynetworks,	reject_unauth_destination,	reject_non_fqdn_recipient,   	reject_unknown_recipient_domain,   	reject_non_fqdn_helo_hostname,   	reject_invalid_helo_hostname,	reject_rbl_client zen.spamhaus.org,   	reject_rbl_client bl.spamcop.net,	check_policy_service inet:127.0.0.1:10030
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, 	permit_mynetworks
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 450

spampig · 03-03-2010, 11:10 AM

The error you are showing is a Postfix error - yet (assuming the domain info is correct in the output of postconf) there is no problem connecting in with TLS to your server - try it yourself:

Quote:

openssl s_client -starttls smtp -connect xxx.xxx.xxx.135:25

Can you clarify the issue you are having?

Are you having issues AUTHENTICATING with SASL to send mail with Postfix?
Are you having issues with TLS logging into Dovecot IMAP?

I'm a bit confused Carlos as to the actual problem :-)

carlosinfl · 03-03-2010, 11:17 AM

Yes all domain is correct in my Postfix configuration. Everything was working perfect as far as receiving email and sending plain but since I enabled the TLS & SASL entries in my main.cf and dovecot.conf, I can't send email and errors are visible in the log!

I am getting the following in my mail logs and it's flooding them...

Code:

Mar  3 11:42:29 mail postfix/smtp[1409]: fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter
Mar  3 11:42:30 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1409 exit status 1
Mar  3 11:42:30 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling

I basically can't send email from my Thunderbird client when I configure SMTP and IMAP to use TLS.

spampig · 03-03-2010, 11:36 AM

Forget about IMAP for a moment - that is just for reading mail on a remote IMAP server - you cannot send mail by IMAP. That's the job of SMTP.

TLS is just about encryption - not authentication. I've been able to connect to your Postfix using STARTTLS with no problem, so you don't appear to have an issue there.

This error :

Quote:

CONNECTED(00000003)
18738:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:

Is, from memory, one of two things (or both). First check you don't have a key that needs a passphrase - it's a common error when people generate their own using the CA.pl script. Before you do that, however, check the port. Dovecot uses 993 or 995 for IMAPS (which is what you have).

Either change the port in your client (don't forget the firewall) or try this from the cli:

Quote:

openssl s_client -connect yourip:993
OR
openssl s_client -connect yourip:995
(if you are blocking these ports do it from the server itself and use openssl s_client -connect 127.0.0.1:993 for a quick check)

carlosinfl · 03-03-2010, 11:47 AM

OK I think I know the problem. My keys do require a pass-phrase when I generated them via 'openssl'. Should I delete them and regenerate the keys and force it not to generate a passphrase?

spampig · 03-03-2010, 11:59 AM

Generating the keys with openssl is usually OK. It's when you use the CA.pl script there is an issue. You would probably know if you used that. I'm not sure you did as Postfix can't cope with keys like that, and I can already STARTTLS to your server. I think it's nothing more than the port -or- your Dovecot is not looking in the right place for they key/cert.

Before doing anything, try this on the command line of the server running Dovecot:

Quote:

openssl s_client -connect 127.0.0.1:993

If you see lots of stuff, including your certificate whizz by, just change the port. If you see an error then that will need to be investigated.

carlosinfl · 03-03-2010, 12:38 PM

OK I removed the passphrase from my certificate using this link and following 'step 3'.

I then went back into my main.cf on Postfix and only turned on the TLS configurations. I disabled the SASL stuff for now and I have no errors at all in my logs. My problem is that when I turn on SASL in Postfix, it then complains about:

Code:

Mar  3 13:23:56 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1720 exit status 1
Mar  3 13:23:56 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling
Mar  3 13:24:56 mail postfix/smtp[1722]: fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter
Mar  3 13:24:57 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1722 exit status 1
Mar  3 13:24:57 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling

Now with SASL enabled in Postfix, I don't understand what I am doing wrong or why it's complaining as you see in the logs up above...

I had to comment out all SASL sections in main.cf in order for this to work with only TLS.

Code:

# SMTP settings
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_loglevel = 1
#smtpd_sasl_auth_enable = yes
#smtp_sasl_auth_enable = yes
smtpd_recipient_restrictions =
#       permit_sasl_authenticated,      
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        check_policy_service inet:127.0.0.1:10030
#smtpd_sender_restrictions = 
#       permit_sasl_authenticated, 
#       permit_mynetworks
#smtpd_sasl_security_options = noanonymous

# SASL
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = /var/run/dovecot/auth-client

spampig · 03-03-2010, 12:57 PM

OK, so you've fixed your TLS issue. Good. Now, for the SASL issue. In main you should have something looking like this:

First check for dovecot in the output of this:

Quote:

postconf -a

if there is no 'dovecot' in the output - stop. You won't get it to work.

If that's good....
in main.cf you should have something like:

Quote:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

This uses a simple set with 'talking' to Dovecot via a socket called 'auth' which should be found in /var/spool/postfix
/private/

This is set up inside to match inside the dovecot.conf file {ignore my MySQL parts}:

Quote:

auth default {
mechanisms = plain login
passdb sql {
# Path for SQL configuration file
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
# Path for SQL configuration file
args = /etc/dovecot/dovecot-sql.conf
}
socket listen {
client {
#
path = /var/spool/postfix/private/
#yours should point to: /var/run/dovecot/auth-client
mode = 0660
user = postfix
group = postfix
}
}
}

I note you have: smtpd_sasl_path = /var/run/dovecot/auth-client so I guess your dovecot.conf matches that? Given that the Postfix smtpd process drops to a chroot (if your master.cf tells it to) be sure that it can actually reach '/var/run/dovecot/auth-client' when you run it.

To help with your fault finding, if you can log in to Dovecot (by pop or imap) then you know the authentication works. You just need to find out why your Postfix can't 'talk' to it.

carlosinfl · 03-03-2010, 01:15 PM

I did find 'Dovecot' in the following:

Code:

[carlos@mail ~]$ postconf -a 
cyrus
dovecot

Now I checked I do have a /var/run/dovecot/auth-client file which is owned by postfix

ostfix as you can see below:

Code:

[root@mail private]# cd /var/run/dovecot/
[root@mail dovecot]# ls -l
total 8
srw-rw---- 1 postfix postfix    0 Mar  3 13:13 auth-client
srw------- 1 root    root       0 Mar  3 13:13 auth-worker.1677
srwxrwxrwx 1 root    root       0 Mar  3 13:13 dict-server
lrwxrwxrwx 1 root    root      25 Mar  3 13:13 dovecot.conf -> /etc/dovecot/dovecot.conf
drwxr-x--- 2 root    dovecot 4096 Mar  3 13:13 login
-rw------- 1 root    root       5 Mar  3 13:13 master.pid

So now I guess I am wondering what I should do? Should I simply un-comment all the SASL stuff I showed you above in main.cf and adjust my 'dovecot.conf' file?

Code:

protocols = imap imaps
disable_plaintext_auth = yes
log_timestamp = "%b %d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/mail.crt
ssl_key_file = /etc/ssl/private/mail.key
mail_location = maildir:~/mail
mail_access_groups = mail
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
  socket listen {
    client {
      path = /var/run/dovecot/auth-client
      user = postfix
      group = postfix
      mode = 0660
    }
  }
}

Is my main.cf missing SASL parameters like you noted above? I didn't recognize many of the ones you listed except for:

smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes

And my "smtpd_sasl_path" appears to be different from your example.

spampig · 03-03-2010, 01:28 PM

I *think* {==guess} your issue is going to be related to where Postfix can look for the socket. I suspect it cannot reach '/var/run/dovecot/auth-client'

I would suggest setting your dovecot.conf to this:

Quote:

path = /var/spool/postfix/private/auth

Your main.cf to this

Quote:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

Restart dovecot, RESTART (not reload) postfix and try again.

Can you confirm you are able to normally log in to Dovecot IMAP without any problems?

carlosinfl · 03-03-2010, 01:32 PM

OK - I think I got this working since I have nothing pretaining to SASL in my main.cf commented out any longer and no more errors flooding my logs:

I simply have:

Code:

# SMTP settings
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        check_policy_service inet:127.0.0.1:10030
smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks

# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

And my Dovecot config is:

Code:

protocols = imap imaps
disable_plaintext_auth = yes
log_timestamp = "%b %d %H:%M:%S "
ssl = yes
ssl_cert_file = /etc/ssl/certs/mail.crt
ssl_key_file = /etc/ssl/private/mail.key
mail_location = maildir:~/mail
mail_access_groups = mail
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
auth default {
  mechanisms = plain login
  passdb pam {
  }
  userdb passwd {
  }
  user = root
  socket listen {
    client {
      path = /var/run/dovecot/auth-client
      user = postfix
      group = postfix
      mode = 0660
    }
  }
}

I guess I need to test SASL and make sure it's actually working (I will Google this). I just wanted to say again thank you extremely for your time and assistance! Super helpful!!!