LinuxQuestions.org - Postfix smtp with SASL from ANY ip to ANY address

- Debian (https://www.linuxquestions.org/questions/debian-26/)

- - Postfix smtp with SASL from ANY ip to ANY address (https://www.linuxquestions.org/questions/debian-26/postfix-smtp-with-sasl-from-any-ip-to-any-address-515150/)

alexxxis

12-31-2006 10:24 AM

Postfix smtp with SASL from ANY ip to ANY address

Hi all,

I have successfully set up Postfix to do smtp
and use SASL... but at the moment it is just
possible to smtp from IPs i set on mynetworks (e.g. xxx.xxx.xxx.xxx) and ONLY to local addresses.

I want my users to be able to smtp from ANY ip
and send mail to ANY address (even outside my server)

does anyone know how to do this?
(i have wasted ages to make this work.. with no luck)
Below is a small snippet of the relevant configuration
in my main.cf file..

Any help would be appreciated!
Alex

Code:

# local

myhostname = mail.xyz.com

mydomain = xyz.com

myorigin = $myhostname

mynetworks = 127.0.0.0/24 xxx.xxx.xxx.xxx

mydestination = $myhostname localhost localhost.$mydomain localhost.localdomain

alias_maps = hash:/etc/aliases

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

local_transport = local





smtpd_recipient_restrictions =

  reject_unknown_sender_domain,

  permit_mynetworks,

  permit_sasl_authenticated,

  reject_unauth_destination,

  reject_rbl_client relays.ordb.org,

  reject_rbl_client sbl.spamhaus.org,

  reject_rbl_client cbl.abuseat.org,



# SMTP AUTH (SASL)

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

# Be nice to brokenware like Outlook Express:

broken_sasl_auth_clients = yes

saman007uk

01-01-2007 05:57 AM

Below is my configuration, which allows smtp from any IP to any IP.

Code:

# see /usr/share/postfix/main.cf.dist for a commented, fuller

# version of this file.



# Do not change these directory settings - they are critical to Postfix

# operation.

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

program_directory = /usr/lib/postfix



smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

setgid_group = postdrop

biff = no



# appending .domain is the MUA's job.

append_dot_mydomain = no

myhostname = server1.example.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = server1.example.com, localhost.example.com, localhost

relayhost =

mynetworks = 127.0.0.0/8

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

recipient_delimiter = +

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

inet_interfaces = all

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

alexxxis

01-01-2007 11:40 AM

Tnx,

I manage to receive mail from outside address by setting:

Code:

smtpd_recipient_restrictions =

  #reject_unknown_sender_domain,

  permit_mynetworks,

  permit_sasl_authenticated,

  reject_unauth_destination,

but i catually found out on the log file that
SASL authentication failure: no secret in database

so i still cannot send mail to addresses outside my domains.
Any ideas?

Code:

Jan  1 15:07:22 xyz postfix/smtpd[7380]: connect from unknown[xx.xxx.xxx.xxx] 

Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: SASL authentication failure: no secret in database 

Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: unknown[xx.xxx.xxx.xxx]: SASL CRAM-MD5 authentication failed 

Jan  1 15:07:25 xyz postfix/smtpd[7380]: NOQUEUE: reject: RCPT from unknown[xx.xxx.xxx.xxx]: 454 <test@test.com>: Relay access denied; from=<sander@xyz.com> to=<test@test.com> proto=ESMTP helo=<Alexis.xyz.com> 

Jan  1 15:07:26 xyz postfix/smtpd[7380]: disconnect from unknown[xx.xxx.xxx.xxx]

saman007uk

01-01-2007 12:46 PM

SASL is currently configured to check for usernames/password in a database (/etc/sasldb I think). You will need to confiure SASL to use a differnt authetication method, or add the usernames to the database. The approproate configartion files are /etc/defaults/saslauthd and /etc/postfix/sasl/smtpd.conf I think.

See:Debian Sarge: The Perfect Setup

alexxxis

01-01-2007 03:53 PM

Thanks saman007uk,

I am storing it in database and using /etc/postfix/sasl/smtpd.conf.

Do you know how should the password be encoded?
I am getting this error now:
SASL authentication failure: incorrect digest response

all the best for the new year,
Alex

saman007uk

01-01-2007 04:47 PM

That's probably because the postfix daemon is chrooted, and can't access the files. See if the following helps (I rather create symlinks than move files):

Code:

mkdir -p /var/spool/postfix/etc

chown -r postfix:postfix /var/spool/postfix/etc

ln -s /etc/sasldb /var/spool/postfix/etc/sasldb

If not, simply copy the file over, giving it proper premissions.

Personally, I rather use PAM to authenticate for SMTP rather than a databse, since it means I don't have to worry about modyfing the databse everytime a user changes their password.

alexxxis

01-01-2007 05:27 PM

saman007uk,

I managed to get it working from the database (I am using an admin tool that adds passwords there)
.. what is worring is that it needs plain password
.. but nevermind this for a sec

the problem now is that although the SASL auth works
the emails are queued forever because of:
"[hotmail.com]: Name or service not known" or
[gmx.net]: Name or service not known

why could this be?

Code:

Jan  1 23:22:40 cytopia postfix/smtpd[10579]: connect from unknown[xx.xxx.xxx.xxx]

Jan  1 23:22:43 xyz postfix/smtpd[10579]: 1DFAF4482F5: client=unknown[xx.xxx.xxx.xxx], sasl_method=CRAM-MD5, sasl_username=sander@xyz.com

Jan  1 23:22:45 xyz postfix/smtpd[10579]: 654384482F5: client=unknown[xx.xxx.xxx.xxx], sasl_method=CRAM-MD5, sasl_username=sander@xyz.com

Jan  1 23:22:46 xyz postfix/cleanup[10592]: 654384482F5: message-id=<7.0.1.0.0.20070102012221.05a4d0e0@gmx.net>

Jan  1 23:22:46 xyz postfix/qmgr[10287]: 654384482F5: from=<sander@xyz.com>, size=518, nrcpt=1 (queue active)

Jan  1 23:22:46 xyz postfix/smtp[10595]: 654384482F5: to=<xyz@hotmail.com>, relay=none, delay=1, status=SOFTBOUNCE ([hotmail.com]: Name or service not known)

Jan  1 23:22:46 xyz postfix/smtpd[10579]: disconnect from unknown[xx.xxx.xxx.xxx]

saman007uk

01-01-2007 05:37 PM

Postfix can't do DNS lookups. Doing the following migth help:

Code:

postconf - e'disable_dns_lookups = no'

/etc/init.d/postfix restart

If not, login as the postfix user (using sudo) and see if you can look-up the mx host:

Code:

dig mx hotmail.com

alexxxis

01-01-2007 10:43 PM

Code:

# postconf - e'disable_dns_lookups = no'

postconf: warning: -: unknown parameter

postconf: warning: edisable_dns_lookups = no: unknown parameter

it does not seem to work

Code:

xyz:~# su postfix

xyz:~# dig mx hotmail.com



; <<>> DiG 9.2.4 <<>> mx hotmail.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4443

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0



;; QUESTION SECTION:

;hotmail.com.                  IN      MX



;; AUTHORITY SECTION:

.                      518400  IN      NS      F.ROOT-SERVERS.NET.

.                      518400  IN      NS      G.ROOT-SERVERS.NET.

.                      518400  IN      NS      H.ROOT-SERVERS.NET.

.                      518400  IN      NS      I.ROOT-SERVERS.NET.

.                      518400  IN      NS      J.ROOT-SERVERS.NET.

.                      518400  IN      NS      K.ROOT-SERVERS.NET.

.                      518400  IN      NS      L.ROOT-SERVERS.NET.

.                      518400  IN      NS      M.ROOT-SERVERS.NET.

.                      518400  IN      NS      A.ROOT-SERVERS.NET.

.                      518400  IN      NS      B.ROOT-SERVERS.NET.

.                      518400  IN      NS      C.ROOT-SERVERS.NET.

.                      518400  IN      NS      D.ROOT-SERVERS.NET.

.                      518400  IN      NS      E.ROOT-SERVERS.NET.



;; Query time: 1 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Jan  2 04:40:58 2007

;; MSG SIZE  rcvd: 240

looks fine no?

saman007uk

01-02-2007 04:57 AM

From your DNS query, I can see that postfix is unable to lookup MX DNS recors.

You should have gotten something like this:

Code:

; <<>> DiG 9.2.5 <<>> mx hotmail.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 508

;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0



;; QUESTION SECTION:

;hotmail.com.                  IN      MX



;; ANSWER SECTION:

hotmail.com.            2687    IN      MX      5 mx2.hotmail.com.

hotmail.com.            2687    IN      MX      5 mx3.hotmail.com.

hotmail.com.            2687    IN      MX      5 mx4.hotmail.com.

hotmail.com.            2687    IN      MX      5 mx1.hotmail.com.



;; Query time: 38 msec

;; SERVER: 81.169.163.104#53(81.169.163.104)

;; WHEN: Tue Jan  2 11:47:08 2007

;; MSG SIZE  rcvd: 109

alexxxis

01-02-2007 07:54 AM

that is bizarre.

why would such a thing happen?
Is it my network provider's fault?

saman007uk

01-02-2007 09:02 AM

Try the same command as the root user, see what you get. Are you using Debian stable?

alexxxis

01-02-2007 09:35 AM

I am Debian 3.1 stable yes.. and I get the same results for root
.. i also run bind9 on the server.. could this be related somehow?

saman007uk

01-02-2007 10:09 AM

Yes, it is very likly that the server is trying to lookup the domaisn from the local bind server.

Look at /etc/resolv.conf and see if it lists the localserver.

alexxxis

01-02-2007 03:41 PM

Thanks for you petience saman007uk,

yes you are right there /etc/resolv.conf has:
nameserver 127.0.0.1

there is also a weird record: search org

(the file says not to edit it by hand)
so i did:
resolvconf -d nameserver 127.0.0.1 (remove)
resolvconf -u (update scripts)

but the local address is still in the file..
how do i remove it?

saman007uk

01-03-2007 04:32 AM

The command is:

Code:

resolvconf -a eth0 name-server-ip

resolvconf -u

Where eth0 is yout netwrok interface and name-server-ip is the IP of your actual ISP name servers.

alexxxis

01-03-2007 07:50 AM

resolvconf -a eth0 xxx.xxx.xxx.xxx

stucks! and does not return unless i do "Ctrl^c"

does this mean that there is a problem with my nameservers?
by the way the nameservers are already in /etc/resolv.conf

Alex

saman007uk

01-03-2007 09:55 AM

I'm pretty sure that you can just edit /etc/resolv.conf manually, but if you don't like that, the following shoudl also solve your problem.

Add the following to the options{} part of /etc/bind/named.conf:

Code:

forwarders {

    x.x.x.x;

};

forward first;

transfers-in 150;

Where x.x.x.x is the nameserver IP. Then restart the bind daemon.

Then, to speed things up a bit, you can add the following for each of other domains/zones that you are hosting DNS data for:

Code:

forwarders {};

This disables forwariding for that zone/domain.

alexxxis

01-03-2007 10:52 AM

Excellent!

I added the forwarders and all works fine..

all i need now is store the digest-md5 passwords in the database
and i should be ready (it already works with plain passwords)

BiG thanks to saman007uk

and a note to newbies trying to use this howto:
http://www.besy.co.uk/projects/debia...rver_howto.htm

At its Second version it is not complete and DOES NOT work..
so do not waste your time with it.. the author said a complete
third version will be soon available

Alex

saman007uk

01-05-2007 03:03 PM

I did a bit of searching, and it turns out that the "resolvconf" utility actually reads the DNS data from /etc/network/interfaces.

For example, if your netwrok interface is called eth0, then you file should have something like this:

Code:

auto eth0

iface eth0 inet static

        address x.x.x.x

        netmask x.x.x.x

        gateway x.x.x.x.x

        dns-nameservers [name-servers here, seprated by a space]

        dns-search [your domain name]

Then, as root:

Code:

resolvconf -u

When changing network options, make sure they are correct - if wrong, you could use access to your server from the net (unless you have soem sort of serial console ...).

alexxxis

01-06-2007 02:47 PM

i added:

//recursion no;
allow-recursion { 127.0.0.1; };

and it works perfect
no need to edit resolv.conf

Thanks saman007uk,
Alex

All times are GMT -5. The time now is 06:41 PM.