Postfix SASL auth not working

Mr. A · 03-10-2010, 01:16 PM

Hi,

I've been having a really hard time with this; maybe someone here can help. I'm getting relay access denied to an email outside of my domain. It seems the passwords are authenticating because I'm not getting invalid password prompts.

### BEGIN POSTFIX CONF ###

# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
mailbox_size_limit = 0
message_size_limit = 50240000
mydomain = mycompany.com
myhostname = myhost.mycompany.com
mynetworks = 127.0.0.0/8,192.168.2.0/24,10.0.0.0/24,hash:/etc/postfix/
pop-before-smtp
myorigin = thrud.alliantinternet.com
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname NO UCE ESMTP myhost.mycompany.com
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/pop-before-smtp
smtpd_delay_reject = no
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, hash:/etc/postfix/sender_access
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/spool/postfix/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 500000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 107
virtual_transport = virtual
virtual_uid_maps = static:107

### END POSTFIX CONF ###

If you need anything else to work with, let me know.

rweaver · 03-10-2010, 01:43 PM

These are the additional items my config has that yours doesn't (differs from yours significantly.)

Code:

smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom

There are good instructions for testing smtp-auth from command line at http://qmail.jms1.net/test-auth.shtml including how to do it using tls.

Edit: Also make sure you remembered to install the required sasl items-- cyrus-sasl-* (more or a less.)

Mr. A · 03-11-2010, 08:18 AM

The difference I see here is that you added

tls_daemon_random_source = dev:/dev/urandom
smtpd_tls_auth_only

You also have separate ssl keyfiles. Other posts I've seen use the same file for all three properties. Is there a significance to having them vary? How did you generate all three?

Mr. A · 03-11-2010, 08:59 AM

Could the issue also possibly be in one of these three lines?

smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/pop-before-smtp, check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_access
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access

is permit_sasl_authenticated required in all three lines? I'm thinking it may be unnecessary (and counterproductive) in the smtpd_sender_restrictions. In the logs, I see "certificate verification failed" for IPs/emails that we deliver mail to, which leads me to believe I need to modify something in those 3 lines above, no?