LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-26-2013, 08:56 AM   #1
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Rep: Reputation: Disabled
assistance in setting up SASL authentication


I am setting up a small server for a church which is to handle a few email addresses (someone before me set up the web server already). I told him I could do the job but I am running into errors and my time is being limited.

I read this guide http://www.unixmen.com/install-postf...on-centos-6-4/ to setup the actual mail server and all was working fine, except I could only send emails that were on the same domain. I discovered I needed to enable SASL. I read this guide several times http://www.postfix.org/SASL_README.html#server_dovecot and my config files are EXACTLY the same and I can't connect to the email server via Squirrelmail, or Thunderbird client. The domain has not been registered yet (he doesnt want to register it yet or knows how) so in thunderbird I have been typing "username@localhost" and "username@LOCALIPADDRESSHERE". I look for errors in the maillog and I get these:

Code:
dovecot: imap-login: Disconnected (no auth attempts): rip=::1, lip=::1, secured
dovecot: pop3-login: Error: Timeout waiting for handshake from auth server. my pid=18208, input bytes=0
Thanks for helping it is greatly appreciated.


Config files in pastebin links-

postfix/main.cf http://pastebin.com/tEf3NwCH
dovecot/dovecot.conf http://pastebin.com/ZM2SpyyK
dovecot/conf.d/10-auth.conf http://pastebin.com/sWBnXztc
dovecot/conf.d/10-master.conf http://pastebin.com/8FA4TQAr

Last edited by Altiris; 10-26-2013 at 09:02 AM.
 
Old 10-27-2013, 02:34 PM   #2
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 999

Rep: Reputation: 142Reputation: 142
Hi

DOES NOT ANSWER YOUR QUESTION
=============================
Web servers are eaaasy, but email servers are hardcore - I experienced (still experiencing) this personally.

Please consider if the email-addresses shouldn't be hosted on an external email server like gmail (didn't really check but I have the general feeling that gmail accepts hosting email for other domains - in the end all they want is to peek at the data ;o) ).

In any case, if you're sure that you want to commit yourself with this and you are willing to continue maintaining it (you'll have to keep an eye on it because of the multiple attacks) then the only thing I can tell you is to follow this guide:
https://wiki.gentoo.org/wiki/Complet...al_Mail_Server (does not use dovecot)

I used the previous version of that guide to set up my mailserver and it was a good base.
The next steps for you would be to set up a web-interface (probably "roundcube") and some anti-spam measures (probably "greylisting").

Cheers!
 
1 members found this post helpful.
Old 10-27-2013, 02:47 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by Pearlseattle View Post
Hi

DOES NOT ANSWER YOUR QUESTION
=============================
Web servers are eaaasy, but email servers are hardcore - I experienced (still experiencing) this personally.

Please consider if the email-addresses shouldn't be hosted on an external email server like gmail (didn't really check but I have the general feeling that gmail accepts hosting email for other domains - in the end all they want is to peek at the data ;o) ).
Altiris, I totally agree with what Pearlseattle said. I'm sure you have the skills, but considering that your time is crunched, and that this is for a church, Gmail would be a better way to go.

I say that, because this IS a church...not a data center. Expiring certificates, power failures, etc., can ALL do a number of email, not to mention just basic site security. Would you really trust some of the teenagers who might be at Sunday-school NOT to pull a prank and send out a phony email? Gmail will let the church-folk check things from their phones/tablets if they want to as well, and keep things a bit more secure. And keep you from having a maintenance nightmare after the fact.
 
Old 10-27-2013, 03:28 PM   #4
Pearlseattle
Member
 
Registered: Aug 2007
Location: Zurich, Switzerland
Distribution: Gentoo
Posts: 999

Rep: Reputation: 142Reputation: 142
Ok, what I and TBOne wrote might be quite discouraging, but on the other side the world needs good admins, so you might still give it a try and through all kind of attacks you'll earn a lot of knowledge, which you can reuse later for other projects not even related to email - once you survive email attacks the others through the web-frontends are quite ok.

Assuming that you manage to fix your problem or that you reinstall the system using the link I posted or use any other guide:
1)
decide who will be the administrator and reinstall the whole thing with her/him. S/he will need that knowledge for the next upgrades.
Somebody will have to be the admin - an email-server without a good admin is dead within 6 months.
2)
Use a VM running the email-server, with everything saved in a simple file (no direct mounts to LVM, physical disks nor anything else). This makes moving/copying the email-VM from host to host extremely simple (you just copy the file) with no performance impact and are using the right mount options.
I'm doing this for myself and a group of friends, who I inform whenever I have a downtime, but in your case the church will probably need the servers to be always up, therefore you'll need a secondary MX server => using a file rsync'ed regularly from the master makes things much simplier.
3)
Firewall will have to be linked to the email system that you use (using "fail2ban"), blocking brute-force logins f0or some time after they're detected by examining the log of the smtp-server you're using.
4)
Antivirus and antispam are a must.

I advise you to do it, if you have enough time available, don't have hard SLAs and have somebody who could take over the job on the church-side as admin sometimes during the next years - or if you can do this now and then turn it to gmail or something similar when you cannot.
Your can gain from this for sure a lot of experience.

Cheers
 
Old 10-27-2013, 04:36 PM   #5
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
I took your guys advice, I spoke with the guy and he understood, was a bit disappointed but I persuaded him. Anyways maybe in the future I may ask about this, I still would like to actually figure out how to correctly set up an email server just so I have the knowledge and can apply it to part of my job, maybe a big or bigger type of business needs it, I can be there to set it up. I'm thinking of trying from scratch to set up the email server (getting roundcube frontend if it's not too hard on CentOS) on a test box I have at home. Ill report back in a few days most likely. Thanks for the help.
 
Old 11-01-2013, 08:17 PM   #6
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
Alright im back and I have ran into the same exact problems on my text box, any help? Just read the OP as I have the same EXACT issues.
 
Old 11-07-2013, 07:13 PM   #7
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
Hello, any help?
 
Old 11-10-2013, 02:42 PM   #8
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Hey,

I dont like to cross post. HOwever, I wrote a how to that covers this. I can tell you that the time out on the handshake makes me think you have a tls issue. I would do the following:

Code:
openssl s_client -starttls smtp -connect main.gerp.me:25
I am guessing your using Tls right? If not, then just do this from a remote machine on the same subnet :
Code:
telent some_ip 25
Code:
telnet some_ip 110
The while light on log entries from you, I am thinking you have a issue with dovecot.

What changes did you make to dovecot.conf?

What ever the case maybe, you have multiple layers of auth going on with SASL. The tls handshake then the actual username pass have to match. That said, I reposted a how to I did for you. Since you dont need a bunch of the mysql stuff ( i would rather use virtual mailboxes ) you can just take a closer look at the TLS portions. The write up is commented so it should be easy to follow.

On the edit format, yeah I did not change that. Let me know if I can help.

That how to works on a centos box. I have torn mine down just to test it a few times.

I wish I could help more; however, if you do not understand the underlying auth methods and this is for a production mail server I have to say...google might be a better choice until you get things under control.
It does not take much to get on a RBL ( I am now and I dont even send mail ). It just takes 1 message or someone that you reported as a spam relay reporting you and your on a RBL. Perhaps setting up gmail would be better. You have to consider how you will go about adding new accounts when the user wants them.

If your dead set on your own MTA i would look at one of the turnkey linux MTA. Maybe check out iredmail or something.
Find the how to at :http://www.linuxquestions.org/questi...es-4175484132/


---------- Post added 11-10-13 at 03:42 PM ----------

Almost forgot, it could be something as simple as a firewall rule. I Doubt that though. Something to look into.

Last edited by munkz; 11-10-2013 at 03:06 PM.
 
Old 11-16-2013, 11:16 AM   #9
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
Thanks for writing that guide, I started reading it and I see you have also made an OpenVPN guide, I will take take a look at that. A bit of of time has passed since my last post and I so I actually sort of started from scratch on my email server and followed a guide on the cents wiki. I am actually now able to sign into my mail account using thunderbird, but when I try sending an email it just says connecting to "mail.domainname.com" forever. I will try out those commands and tell you what happens and then follow your guide. thanks again!

EDIT: I ran
Code:
openssl s_client -starttls smtp -connect main.gerp.me:25
and got this in return
Code:
CONNECTED(00000003)
Then I ran the second command
Code:
telent externaliphere 25
and I got this in return
Code:
Trying externaliphere...
Connected to externaliphere...
Escape character is '^]'.
220 hostname.domainname.com ESMTP Postfix

Last edited by Altiris; 11-16-2013 at 12:12 PM.
 
Old 11-16-2013, 12:28 PM   #10
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
This is a reply to your guide (I dont know whether or not you want to me to reply here or on the forum on your guide). I am confused at this part

"1.Postfix and Dovecot SSL: You need this!1
If you do not have a SSL cert, you can get a free one over at https://www.startssl.com/?app=1
Once you have your key, you will need to make sure and get the root-ca bundle."

Do I need to use that website to generate SSL cert? What is the root-ca bundle? Previously (when following the centos guide) I made the keys for mail by using genkey --days 365 mail.example.com however I dont think that generates all of the necessary keys that you are stating in your guide.
 
Old 11-16-2013, 07:01 PM   #11
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Hi,

YOu dont have to use startssl. I listed that due to it being free. Most of the larger MTA will like that; additionally, its better not to use a self signed if you can get a free SSL.


The commands you posted look as if connections are working for submission. I should have also let you know to run the HELO some_host_name so that you could see what options postfix was supporting to clients. Another point, did you copy and past the openssl command with out changing the host to connect to? If so, all you did was connect to my server to test for starttls on port 25. It works. What you are trying to do is test YOUR sever, not mine.

Can you give me yo

ur domain name and let me check out whats going on from a client perspective? Not sure, but if your using standard settings ( port 25,110 for example ), depending on your office/home isp you may not be able to get through on port 25. They block it most times to stop infected zombies from sending spam and stuff.

I trouble shoot like this :

1. Does it work local ? Yes MOVE ON
2. Does it work remote ? No Check firewall rules for INPUT. Check /var/log/maillog for any hints.

1b. Does it work local? No Its a most likely a issue with your postfix or dovecot config. restart and tail maillog to see if you get any leads. Also, run netstat -tunapl to see what ports / services are open and taking connections.
Hope this helps.

If you give me your domain I will try and see what things are doing as far as I can.

Good luck.
 
Old 11-17-2013, 01:49 AM   #12
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Sorry, missed your first bit about the gen of ssl certs. First, the CA bundle is used to verify the key. So, if you did this on your own, use a FQDN. Using example.com is not such a good idea since example.com is a FQDN that belongs to someone else. Th,ats a good way to get your self rbled real fast.

Next, tons of stuff on google about generating a cert. I would start with reading up over at openSSL docs on cert generation for self signed.

The short of it: Get the free key at startssl. Its worth it. They hold the signing key.

The bundle listed in the how to can be found over at https://www.startssl.com/certs/ca-bundle.crt. Just do a curl -O on it.

You could just use easy-rsa to. Thing is, from my view getting a signed cert by a SSL sign outfit is the better route to take. I would really like to see what others think on this topic. I know others on this forum know a better way to do this.

For something like openvpn where you need to generate keys for clients; yeah, self signed. Your in control of that network ( well I think I am any ways, dunno. Still getting that down.)

For your mail server, thikn in these terms : You want to make it as easy as possible for other MTA's to validate the who and where on your server. Hence, you need SPF ( get by with out until you cant ), DKIM ( OUTLOOK straight said bugger off until I got that correct. All mail was goign to spam.), SSL set for both Postfix AND Dovecot ( thats a gotcha by the way. Make sure and set it in both daemons .

Like I said up top, its not that its hard to set up or anything. Its more along the lines of being able to debug it when it goes south on you.

If you do decide to generate your own cert read up on this post. I have to do that myself all the time.

Another thing, my set up might not be the best way to go. I put on here to get feed back. I have yet to get any. I know it works. However, just cause it works does not mean it is the correct way to do it. Good luck. I will try to help as much as I can. Just dont want to get into the whole blind leading the blind thing.

Books have been published about setting up postfix.
 
Old 11-17-2013, 07:59 PM   #13
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
Thanks for the reply/help, I will be busy this coming week and can only re-test things on the computer by Friday. Responding to your questions, I did change the command to my actual hostname and dominaname. I can not give you my domain name because it has not been registered with my ISP yet (I dont want to spend money for it yet not knowing if everything is working). I also have a business ISP and I know that the port 25 is not blocked on my server's firewall, router firewall, AND ISP. I will try and run those commands and report feedback to you on Friday (I will be busy with work this week, I am really sorry to make you wait). I will go with your suggestion and use startssl, that easy-rsa thing seems familiar as I used that to setup up OpenVPN I believe (although my VPN isnt working, thats another situation). I actually had set SSL in both postfix and dovecot and then removed it in dovecot and only set it in postfix (either way I had the same exact errors) but I will enable it again in Dovecot.

Thanks for the assistance!!
 
1 members found this post helpful.
Old 11-17-2013, 11:09 PM   #14
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Sure. Not making me wait. I am going to tear my server down again ( it like home work ). When I do, I will follow my own how-to and see if it is
1. Intuitive.
2. Works ( assuming things that need to be changed like domain names and such are followed)
3. I think I may have messed up on the SSL portion. I seem to recall needing to cat in the CRT and CA into one file. HOwever, I thought I changed that so that each would be defined separately.

ANyway, wish ya luck. I Know it can be a pain trying to keep up with the learning curve. Seems that always got something to learn.
 
Old 11-24-2013, 11:55 AM   #15
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Original Poster
Rep: Reputation: Disabled
Alright thanks a bunch. So im assuming I should wait for you to fix the guide before following the SSL part, or?? Could my email server actually be working except since my domain isnt registered thunderbird cant send the email? I noticed that when I sign into my email using Thunderbird it asks to me accept a certificate which states mail.mydomain.net:143. Its connecting using Port 143 which I believe is nonSSL IMAP or POP3 (Im not sure which one). Isnt this a bad thing as its sending the login data through plain text?

EDIT: I setup Roundcube web based email client and when I try sending an email, even to myself, I get "SMTP Error (250): Authentication failed."

Last edited by Altiris; 11-24-2013 at 12:18 PM.
 
  


Reply

Tags
dovecot, postfix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix/sasl authentication jwenzel09 Linux - Server 2 03-16-2011 01:20 AM
[SOLVED] Postfix SASL : No Authentication Mechanisms Cybrax Linux - Newbie 1 11-13-2010 01:58 AM
Postfix SASL Authentication Failure linuxpyro Linux - Server 1 12-15-2008 09:29 PM
Postfix/SASL/MySQL "SASL LOGIN authentication failed" Temujin_12 Linux - Server 8 10-04-2008 10:37 PM
SASL authentication using NTLM MikeDawg Linux - Security 0 08-30-2007 02:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration