[opensuse] Postfix does not seem to be logging
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty. Any suggestions, please? TIA J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Postfix is not logging to /var/log/mail itself, instead it is sending all log notifications to syslog. In other words: you need to restart syslog. You probably need to set up smtp auth for Postfix to allow relaying from your mobile phone. Most of these devices have pretty miserable options to configure smtp auth. Please post the output of "postconf -n" , /etc/postfix/master.cf (without the comments) and the options that are available in your mobile phone for authentication. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Postfix is not logging to /var/log/mail itself, instead it is sending all log notifications to syslog. In other words: you need to restart syslog.
You probably need to set up smtp auth for Postfix to allow relaying from your mobile phone. Most of these devices have pretty miserable options to configure smtp auth.
Please post the output of "postconf -n" , /etc/postfix/master.cf (without the comments) and the options that are available in your mobile phone for authentication.
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog? As for its configuration, both files attached as requested. My Nokia 9300i supports SMTP auth. For additional information, it sends happily using my internal wireless network but not through my service provider's internet connection. alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = /usr/bin/procmail mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain, DMJ-Consultancy.co.uk, DMJ-Consultancy.me.uk, DMJ-Consultancy.org.uk myhostname = General.DMJ-Consultancy.local mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 myorigin = DMJ-Consultancy.me.uk newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relay_clientcerts = hash:/etc/postfix/relay_ccerts relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = /Working.Files/Company/Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Working.Files/Company/Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Working.Files/Company/Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_req_ccert = yes smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 smtp inet n - n - - smtpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient procmail unix - n n - - pipe flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
John wrote:
Sandy Drobic wrote:
John wrote:
[snip]
Output from mail.info log when I tried to send an email from my mobile:
Jun 26 16:46:53 General postfix/smtpd[28635]: connect from host212-183-132-19.uk.access.vodafone.net[212.183.132.19] Jun 26 16:47:05 General postfix/smtpd[28635]: 6B1181D5A7: client=host212-183-132-19.uk.access.vodafone.net[212.183.132.19] Jun 26 16:47:07 General postfix/smtpd[28635]: 6B1181D5A7: reject: RCPT from host212-183-132-19.uk.access.vodafone.net[212.183.132.19]: 554 <==recipient==>: Relay access denied; from=<John@DMJ-Consultancy.co.uk> to=<==recipient==> proto=ESMTP helo=<[10.181.222.15]> Jun 26 16:47:07 General postfix/smtpd[28635]: disconnect from host212-183-132-19.uk.access.vodafone.net[212.183.132.19] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Sandy Drobic wrote:
Please post the output of "postconf -n" , /etc/postfix/master.cf (without the comments) and the options that are available in your mobile phone for authentication.
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog?
Postfix logs to mail.*, where Syslog is depositing the facility mail is configured in /etc/syslogd.conf (or /etc/syslog-ng/syslog-ng.conf).
As for its configuration, both files attached as requested. My Nokia 9300i supports SMTP auth. For additional information, it sends happily using my internal wireless network but not through my service provider's internet connection.
No wonder, according to your config it doesn't need to authenticate within your network. (^-^)
------------------------------------------------------------------------
broken_sasl_auth_clients = yes inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, DMJ-Consultancy.co.uk, DMJ-Consultancy.me.uk, DMJ-Consultancy.org.uk myhostname = General.DMJ-Consultancy.local mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 relay_clientcerts = hash:/etc/postfix/relay_ccerts smtpd_helo_required = no
If this server is connected to the internet (as it appears) I suggest you change this to "yes". Every client is required to send helo.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
Okay. Though you haven't used any restrictions to reject spam or viruses.
smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Unless you "yes" here, Postfix will not offer the option to authenticate.
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Now it gets a little tricky. The options themselves are reasonable, provided your server can offer auth mechanism other than PLAIN and LOGIN. To see what your server can offer please post the output of "ls -l /usr/lib/sasl2" and the content of /usr/lib/sasl2/smtpd.conf. If you are using Cyrus as Imapserver and saslauthd for authentication, you are out of luck. Saslauthd only supports plaintext mechanisms (PLAIN and LOGIN).
smtpd_sender_restrictions = hash:/etc/postfix/access
Explicitely written, this is would be: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access Please be aware, that this will affect ALL mails (you didn't set "permit_mynetworks" or "permit_sasl_authenticated" before this check). Unless you really use this file I suggest you remove this line.
smtpd_tls_CAfile = /Working.Files/Company/Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes
This will only offer smtp auth if the client uses TLS encrypted connections to authenticate. If you mobile phone doesn't support STARTTLS you are again out of luck.
smtpd_tls_cert_file = /Working.Files/Company/Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Working.Files/Company/Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_req_ccert = yes smtpd_use_tls = yes
These settings are okay. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
John wrote:
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog?
Postfix logs to mail.*, where Syslog is depositing the facility mail is configured in /etc/syslogd.conf (or /etc/syslog-ng/syslog-ng.conf).
That just points me to the files which weren't being updated when I first logged this. Does that mean that any transactions that happened during this period were not logged at all? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Sandy Drobic wrote:
John wrote:
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog?
Postfix logs to mail.*, where Syslog is depositing the facility mail is configured in /etc/syslogd.conf (or /etc/syslog-ng/syslog-ng.conf).
That just points me to the files which weren't being updated when I first logged this. Does that mean that any transactions that happened during this period were not logged at all?
If syslog was not running, these log events are lost. By the way, I had a quick look at the manuel of the Nokia 9300i, and it seems that it supports TLS, or at least SSL. Enabling smtpd auth and checking what mechs the Nokia supports should do the trick. - enable SSL in the mail/server configuration of your Nokia(or secure server as they call it IIRC) - postconf -e "smtpd_sasl_auth_enable = yes" - postfix reload Then try it again. It is possible that your phone does not support STARTTLS. In that case you have to use the older Port 465 with the TCP-Wrapper. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sandy Drobic wrote:
John wrote:
Sandy Drobic wrote:
John wrote:
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog?
Postfix logs to mail.*, where Syslog is depositing the facility mail is configured in /etc/syslogd.conf (or /etc/syslog-ng/syslog-ng.conf).
That just points me to the files which weren't being updated when I first logged this. Does that mean that any transactions that happened during this period were not logged at all?
If syslog was not running, these log events are lost. By the way, I had a quick look at the manuel of the Nokia 9300i, and it seems that it supports TLS, or at least SSL. Enabling smtpd auth and checking what mechs the Nokia supports should do the trick.
- enable SSL in the mail/server configuration of your Nokia(or secure server as they call it IIRC) - postconf -e "smtpd_sasl_auth_enable = yes" - postfix reload
Then try it again.
It is possible that your phone does not support STARTTLS. In that case you have to use the older Port 465 with the TCP-Wrapper.
The following links are worth looking at...
http://my-symbian.com/forum/viewtopic.php?t=26747&highlight=smtp+authentication
There are other links on the site but the phone throws in a few additional problems. To be frank for your own server it is not worth the candle setting this up, the authenticated server support on the series 80 has not always been reliable. If you have to do to access a third party give it a try but do not have great expectations... If you distrust your phone provider with your e-mail relaying you have a bit of problem. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGga3lasN0sSnLmgIRArDpAKCxSuwI2+a4zc2YeqECLkps8cD9hACg2VvI vfyc9gOKj2Y4P+VgDScoGf0= =Ly38 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-06-27 at 00:12 +0100, John wrote:
Postfix logs to mail.*, where Syslog is depositing the facility mail is configured in /etc/syslogd.conf (or /etc/syslog-ng/syslog-ng.conf).
That just points me to the files which weren't being updated when I first logged this. Does that mean that any transactions that happened during this period were not logged at all?
You removed the log files, which is a no-no. You effectively set the syslog daemon into a crazy state and new log data was lost (bug or feature, dunno; probably known (mis)feature). I suppose it kept writing to the file descriptor/reference/whatever of the nonexistent file. You have to reload the daemon so that it knows that somebody has played with his files on his back. You can get a clue that this is known by looking at the /etc/logrotate.d/syslog config file. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGgj5PtTMYHG2NR9URAvafAJwK7kjGjqtP+NH///Nq4K7MSJEWsACdGp0J 3O5Tx75CAdvK+6aZUWaI4Fc= =feWO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
[snip]
smtpd_helo_required = no
If this server is connected to the internet (as it appears) I suggest you change this to "yes". Every client is required to send helo.
Postfix defaults to 'NO' but I've changed it to 'YES'
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
Okay. Though you haven't used any restrictions to reject spam or viruses.
Haven't gotten that far yet! Thunderbird provides my spam filter for now.
smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Unless you "yes" here, Postfix will not offer the option to authenticate.
Set to 'YES', then postfix failed to end this mail (workstation running thunderbird) so I set it back to 'NO' for now as it raises other issues!
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Now it gets a little tricky. The options themselves are reasonable, provided your server can offer auth mechanism other than PLAIN and LOGIN.
To see what your server can offer please post the output of "ls -l /usr/lib/sasl2" and the content of /usr/lib/sasl2/smtpd.conf.
Attached If you are using Cyrus as Imapserver and saslauthd for authentication, you are out of luck. Saslauthd only supports plaintext mechanisms (PLAIN and LOGIN). Am I trying to flog the proverbial dead horse in getting my phone to be allowed to use my postfix server, then?
total 164 drwxr-xr-x 2 root root 752 Sep 20 2006 . drwxr-xr-x 84 root root 28320 Apr 20 20:12 .. lrwxrwxrwx 1 root root 22 Sep 17 2006 libanonymous.so -> libanonymous.so.2.0.21 lrwxrwxrwx 1 root root 22 Sep 17 2006 libanonymous.so.2 -> libanonymous.so.2.0.21 -rwxr-xr-x 1 root root 13592 Sep 9 2005 libanonymous.so.2.0.21 lrwxrwxrwx 1 root root 20 Sep 17 2006 libcrammd5.so -> libcrammd5.so.2.0.21 lrwxrwxrwx 1 root root 20 Sep 17 2006 libcrammd5.so.2 -> libcrammd5.so.2.0.21 -rwxr-xr-x 1 root root 15796 Sep 9 2005 libcrammd5.so.2.0.21 lrwxrwxrwx 1 root root 22 Sep 17 2006 libdigestmd5.so -> libdigestmd5.so.2.0.21 lrwxrwxrwx 1 root root 22 Sep 17 2006 libdigestmd5.so.2 -> libdigestmd5.so.2.0.21 -rwxr-xr-x 1 root root 43416 Sep 9 2005 libdigestmd5.so.2.0.21 lrwxrwxrwx 1 root root 18 Sep 17 2006 liblogin.so -> liblogin.so.2.0.21 lrwxrwxrwx 1 root root 18 Sep 17 2006 liblogin.so.2 -> liblogin.so.2.0.21 -rwxr-xr-x 1 root root 14420 Sep 9 2005 liblogin.so.2.0.21 lrwxrwxrwx 1 root root 18 Sep 17 2006 libplain.so -> libplain.so.2.0.21 lrwxrwxrwx 1 root root 18 Sep 17 2006 libplain.so.2 -> libplain.so.2.0.21 -rwxr-xr-x 1 root root 14420 Sep 9 2005 libplain.so.2.0.21 lrwxrwxrwx 1 root root 19 Sep 17 2006 libsasldb.so -> libsasldb.so.2.0.21 lrwxrwxrwx 1 root root 19 Sep 17 2006 libsasldb.so.2 -> libsasldb.so.2.0.21 -rwxr-xr-x 1 root root 18756 Sep 9 2005 libsasldb.so.2.0.21 -rw-r--r-- 1 root root 38 Jul 28 2006 slapd.conf -rw------- 1 root root 65 Sep 18 2006 smtpd.conf pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
John wrote:
Sandy Drobic wrote:
[snip]
smtpd_helo_required = no
If this server is connected to the internet (as it appears) I suggest you change this to "yes". Every client is required to send helo.
Postfix defaults to 'NO' but I've changed it to 'YES'
The (Suse!) default doesn't mean anything. The default configuration for Postfix on a suse installation is a nullclient configuration, meant only for sending mails. Parts of that is to only accept 2 concurrent connections and listen only on localhost.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination
Okay. Though you haven't used any restrictions to reject spam or viruses.
Haven't gotten that far yet! Thunderbird provides my spam filter for now.
smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Unless you "yes" here, Postfix will not offer the option to authenticate.
Set to 'YES', then postfix failed to end this mail (workstation running thunderbird) so I set it back to 'NO' for now as it raises other issues!
Little question has smtp auth ever worked for you before or is this your first try? If you enable smtpd_auth and restart the server, do you see any warnings in your maillog?
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Now it gets a little tricky. The options themselves are reasonable, provided your server can offer auth mechanism other than PLAIN and LOGIN.
To see what your server can offer please post the output of "ls -l /usr/lib/sasl2" and the content of /usr/lib/sasl2/smtpd.conf.
Attached
If you are using Cyrus as Imapserver and saslauthd for authentication, you are out of luck. Saslauthd only supports plaintext mechanisms (PLAIN and LOGIN).
Am I trying to flog the proverbial dead horse in getting my phone to be allowed to use my postfix server, then?
No, you still have some hope left. (^-^) Your phone supports SSL or at least TLS. That means you can use plaintext mechs like PLAIN or LOGIN if you encrypt the connection.
------------------------------------------------------------------------
pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
Okay, you NEED either SSL or TLS, otherwise your passwords are transmitted over the wire as clear text (only binhex64 encoded but not encrypted). The neccessary Cyrus libraries are installed. Please for test purposes, enable smtp auth without encryption and check that the server now offers AUTH: postconf -e "smtpd_tls_auth_only = no" postconf -e "smtpd_enable_sasl_auth = yes" postfix reload Then check at the console of your server: telnet localhost 25 ehlo localhost Now you should see the capabilities of your server. One of the lines should start with "250-AUTH PLAIN LOGIN" Here an example from my server: 250-japantest.homelinux.com 250-PIPELINING 250-SIZE 100000000 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN If you see the auth lines we can work on getting your clients to authenticate. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
[snip]
smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Unless you "yes" here, Postfix will not offer the option to authenticate.
Set to 'YES', then postfix failed to end this mail (workstation running thunderbird) so I set it back to 'NO' for now as it raises other issues!
Set back to 'YES' last night, about 01:30 and lost all emails until I checked the logs about 09:00 this morning. Error message was:
'Jun 27 09:35:00 General postfix/smtpd[29907]: fatal: no SASL authentication mechanisms' Set it back to 'NO' and was deluged!
Little question has smtp auth ever worked for you before or is this your first try?
I'm not sure that it has; I tried this last year (Thread '[SLE] at wits end with postfix & SASL') and thought I'd gotten it sorted but when I was abroad recently, it still failed, so obviously, I hadn't.
If you enable smtpd_auth and restart the server, do you see any warnings in your maillog?
Nothing specific; I've written a script which allows me to look at the last n lines of all four log files and I've attached the results from this test for inspection. You can see that I tried this at 12:43:41!
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
Now it gets a little tricky. The options themselves are reasonable, provided your server can offer auth mechanism other than PLAIN and LOGIN.
To see what your server can offer please post the output of "ls -l /usr/lib/sasl2" and the content of /usr/lib/sasl2/smtpd.conf.
Attached
If you are using Cyrus as Imapserver and saslauthd for authentication, you are out of luck. Saslauthd only supports plaintext mechanisms (PLAIN and LOGIN).
Am I trying to flog the proverbial dead horse in getting my phone to be allowed to use my postfix server, then?
No, you still have some hope left. (^-^)
Your phone supports SSL or at least TLS. That means you can use plaintext mechs like PLAIN or LOGIN if you encrypt the connection.
------------------------------------------------------------------------
pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
Okay, you NEED either SSL or TLS, otherwise your passwords are transmitted over the wire as clear text (only binhex64 encoded but not encrypted).
The neccessary Cyrus libraries are installed. Please for test purposes, enable smtp auth without encryption and check that the server now offers AUTH:
postconf -e "smtpd_tls_auth_only = no" postconf -e "smtpd_enable_sasl_auth = yes" postfix reload
Then check at the console of your server:
telnet localhost 25
ehlo localhost
Now you should see the capabilities of your server. One of the lines should start with "250-AUTH PLAIN LOGIN"
With smtpd_sasl_auth_enable set 'YES' , all I see is: General:/etc/postfix # telnet localhost 25 ehlo localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. General:/etc/postfix Set this parameter to 'NO' and I see: General:/etc/postfix # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 General.DMJ-Consultancy.local ESMTP Postfix ehlo localhost 250-General.DMJ-Consultancy.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME quit 221 Bye Connection closed by foreign host. General:/etc/postfix # Now, since I've seen the two lines: 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN before, something has been changed in my attempt to get this sorted. Could be the starttls line? Mail Jun 27 12:41:23 General postfix/qmgr[29923]: E2AE31D5A7: removed Jun 27 12:41:23 General postfix/smtpd[30260]: disconnect from sc157.sjc.collab.net[204.16.104.146] Jun 27 12:43:31 General postfix/postfix-script: refreshing the Postfix mail system Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection rate 1/60s for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection count 1 for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max cache size 1 at Jun 27 12:41:22 ------------ Mail.err Jun 27 09:35:00 General postfix/smtpd[29912]: fatal: no SASL authentication mechanisms ------------ Mail.warn Jun 27 12:06:13 General postfix/smtpd[30195]: warning: 125.235.64.36: hostname 125.235.64.36.adsl.viettel.vn verification failed: Name or service not known ------------ Mail.info Jun 27 12:41:23 General postfix/qmgr[29923]: E2AE31D5A7: removed Jun 27 12:41:23 General postfix/smtpd[30260]: disconnect from sc157.sjc.collab.net[204.16.104.146] Jun 27 12:43:31 General postfix/postfix-script: refreshing the Postfix mail system Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection rate 1/60s for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection count 1 for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max cache size 1 at Jun 27 12:41:22 ------------
John wrote:
Sandy Drobic wrote:
[snip]
smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Unless you "yes" here, Postfix will not offer the option to authenticate.
Set to 'YES', then postfix failed to end this mail (workstation running thunderbird) so I set it back to 'NO' for now as it raises other issues!
Set back to 'YES' last night, about 01:30 and lost all emails until I checked the logs about 09:00 this morning. Error message was:
'Jun 27 09:35:00 General postfix/smtpd[29907]: fatal: no SASL authentication mechanisms'
Uh, oh!! This looks as if you have misconfigured your Cyrus sasl configuration in some way.
Set it back to 'NO' and was deluged!
Little question has smtp auth ever worked for you before or is this your first try?
I'm not sure that it has; I tried this last year (Thread '[SLE] at wits end with postfix & SASL') and thought I'd gotten it sorted but when I was abroad recently, it still failed, so obviously, I hadn't.
In that case we should start from the beginning. You have mixed TLS and SASL parameters, but it seems as if they don't completely work. I usually start with Cyrus sasl, and if that is working reliably I add TLS and set "smtpd_tls_auth_only = yes".
If you enable smtpd_auth and restart the server, do you see any warnings in your maillog?
Nothing specific; I've written a script which allows me to look at the last n lines of all four log files and I've attached the results from this test for inspection. You can see that I tried this at 12:43:41!
I get a log excerpt every day by mail with all the log lines that are not flagged as normal. Great to track trouble before it is reported by users. Mailgraph provides also alsmost real-time stats for email flow (received, delivered, spam, virus, rejected). Additionally I recommend to use pflogsumm as a summary of you email situation.
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
IIRC you have forbidden plaintext mechs when the connection is not encrypted. smtpd_sasl_security_options = noanonymous, noplaintext Change that to smtpd_sasl_security_options = noanonymous "reload postfix", and then try again. You main problem is that you have activated too many TLS and AUTH parameters without confirming first that the basics work. I am almost tempted to say "let's remove all of those and then start at the beginning."
Now you should see the capabilities of your server. One of the lines should start with "250-AUTH PLAIN LOGIN"
Now, since I've seen the two lines:
250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN
before, something has been changed in my attempt to get this sorted. Could be the starttls line?
Not exactly. Rather it was the "smtpd_tls_auth_only = yes". As a consequence you can only authenticate if you first encrypt the connection using starttls.
------------------------------------------------------------------------
Mail Jun 27 12:41:23 General postfix/qmgr[29923]: E2AE31D5A7: removed Jun 27 12:41:23 General postfix/smtpd[30260]: disconnect from sc157.sjc.collab.net[204.16.104.146] Jun 27 12:43:31 General postfix/postfix-script: refreshing the Postfix mail system Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection rate 1/60s for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max connection count 1 for (smtp:204.16.104.146) at Jun 27 12:41:22 Jun 27 12:43:31 General postfix/anvil[30262]: statistics: max cache size 1 at Jun 27 12:41:22
Business as usual, looks fine.
------------
Mail.err Jun 27 09:35:00 General postfix/smtpd[29912]: fatal: no SASL authentication mechanisms
"Fatal error" means the system can't work due to a serious misconfiguration.
------------
Mail.warn Jun 27 12:06:13 General postfix/smtpd[30195]: warning: 125.235.64.36: hostname 125.235.64.36.adsl.viettel.vn verification failed: Name or service not known
Harmless, a spam zombi does not have a matching reverse dns record. That happens a lot. I get dozens and hundreds of these dns errors every day. This is only informational logging. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, I'm still trying to send email from my mobile phone through my Postfix (on SuSE 10.0) server. I believe I have a TLS connection set up and working but the server does not allow me to relay mail from my phone to external recipients. Copy of log for such an attempt follows: Sep 17 19:09:41 General postfix/smtpd[19573]: connect from host212-183-132-39.uk.access.vodafone.net[212.183.132.39] Sep 17 19:09:43 General postfix/smtpd[19573]: setting up TLS connection from host212-183-132-39.uk.access.vodafone.net[212.183.132.39] Sep 17 19:09:43 General postfix/smtpd[19573]: SSL_accept:before/accept initialization Sep 17 19:09:43 General postfix/smtpd[19573]: SSL_accept:error in SSLv2/v3 read client hello A Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client hello B Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client hello B Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:SSLv3 read client hello B Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:SSLv3 write server hello A Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:SSLv3 write certificate A Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:SSLv3 write certificate request A Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:SSLv3 flush data Sep 17 19:09:44 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client certificate A Sep 17 19:09:48 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client certificate A Sep 17 19:09:48 General postfix/smtpd[19573]: SSL_accept:SSLv3 read client certificate A Sep 17 19:09:48 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client key exchange A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read client key exchange A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 read client key exchange A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read certificate verify A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read certificate verify A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read certificate verify A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:error in SSLv3 read certificate verify A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 read finished A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 write change cipher spec A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 write finished A Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 flush data Sep 17 19:09:49 General postfix/smtpd[19573]: TLS connection established from host212-183-132-39.uk.access.vodafone.net[212.183.132.39]: TLSv1 with cipher RC4-MD5 (128/128 bits) Sep 17 19:09:52 General postfix/smtpd[19573]: NOQUEUE: reject: RCPT from host212-183-132-39.uk.access.vodafone.net[212.183.132.39]: 554 <Recipient@ntlworld.com>: Relay access denied; from=<Sender@DMJ-Consultancy.co.uk> to=<Recipient@ntlworld.com> proto=ESMTP helo=<[xxx.xxx.xxx.xxx]> Sep 17 19:09:53 General postfix/smtpd[19573]: disconnect from host212-183-132-39.uk.access.vodafone.net[212.183.132.39] ('Recipient', 'Sender' and 'xxx.xxx.xxx.xxx' replace actual detail to maintain recipient's privacy!) I am reluctant to put the vodafone.net IP subnet address (212.183.132.0/24) in mynetworks since I fear this could then open me to being a relay for that set of addresses. (the last octet is not always 39). How can I allow mail with from=<?@DMJ-Consultancy.co.uk> to pass through my server from my phone? (Bizarrely, if I send an email to myself from my phone, it gets relayed as one of the mydestination names.) TIA John (Phone = Nokia 9300i configured to use StartTLS when sending email) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John wrote:
Hi,
I'm still trying to send email from my mobile phone through my Postfix (on SuSE 10.0) server. I believe I have a TLS connection set up and working but the server does not allow me to relay mail from my phone to external recipients. Copy of log for such an attempt follows:
<snip>
with cipher RC4-MD5 (128/128 bits) Sep 17 19:09:52 General postfix/smtpd[19573]: NOQUEUE: reject: RCPT from host212-183-132-39.uk.access.vodafone.net[212.183.132.39]: 554 <Recipient@ntlworld.com>: Relay access denied; ^^^^^^^^^^^^^^^^^^^^
from=<Sender@DMJ-Consultancy.co.uk> to=<Recipient@ntlworld.com> proto=ESMTP helo=<[xxx.xxx.xxx.xxx]>
<snip>
TIA
John
(Phone = Nokia 9300i configured to use StartTLS when sending email)
Hmmm... At you say, it looks as if postfix is set to not allow relaying of mail from external addresses... As vodafone in the UK apply a NAT to their local addressing and the externally advertised IP address does change a bit you are also wise to avoid allowing relaying from the vodafone address space. You probably need to set up authenticated SMTP on your postfix server and give the accounts relay rights. Unfortunately, the Nokia end of authenticated SMTP is a bit of a pig to set up by some accounts, (and I have always used the vodafone mail server to relay mail so I have not indulged in this particular bit of pain myself). You should be able to find assistance on this on the www.mycommunicator.com website. If you forward your postfix configuration file to the list there are others on this list who can give assistance on how to set authenticated SMTP up for you. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG753iasN0sSnLmgIRAhWYAKCEF4yY86hsBjLgbvwFMrNL7zwEGACcD0F1 BLjxzns5mmSjGbYbLgmfuNg= =3C2I -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John wrote:
Hi,
I'm still trying to send email from my mobile phone through my Postfix (on SuSE 10.0) server. I believe I have a TLS connection set up and working but the server does not allow me to relay mail from my phone to external recipients. Copy of log for such an attempt follows:
<snip>
If you forward your postfix configuration file to the list there are others on this list who can give assistance on how to set authenticated SMTP up for you.
postconf output follows: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = /usr/bin/procmail mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain, DMJ-Consultancy.co.uk, DMJ-Consultancy.me.uk, DMJ-Consultancy.org.uk myhostname = General.DMJ-Consultancy.local mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 myorigin = DMJ-Consultancy.me.uk newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relay_clientcerts = hash:/etc/postfix/relay_ccerts relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtpd_client_restrictions = smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_req_ccert = yes smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
G T Smith wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John wrote:
Hi,
I'm still trying to send email from my mobile phone through my Postfix (on SuSE 10.0) server. I believe I have a TLS connection set up and working but the server does not allow me to relay mail from my phone to external recipients. Copy of log for such an attempt follows:
Just a little question. In your config below I see two possibilities to authenticate: either by using conventional user/pass or by using a client certificate. Which one are you trying to implement? Did you test both of them?
postconf output follows: broken_sasl_auth_clients = yes mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 relay_clientcerts = hash:/etc/postfix/relay_ccerts smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Er, hello?!? If you want to use smtp auth you need to set this to "yes"! smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_req_ccert = yes smtpd_use_tls = yes
The rest looks fine. If you are trying to use client certs, did you put the client cert on your phone? I don't remember seeing a line in the tls log where the client (your phone) is presenting a client certificate. If you can't get saslfinger to work, please show the output of the last line of this command (the capabilities of your server after a tls connection has been established and the ehlo command is invoked. openssl s_client -starttls smtp -connect localhost:25 ehlo localhost Please also post the content of /usr/lib/sasl2/smtpd.conf. If you are trying to use client certificates for authentication please also post the content of /etc/postfix/relay_ccerts and verify that it is indeed the fingerprint of your client certificate. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Just a little question. In your config below I see two possibilities to authenticate: either by using conventional user/pass or by using a client certificate.
Which one are you trying to implement?
Hadn't realised there were two here. I'd like the most secure and least likely to allow someone else access to my server! (BTW I'm using Courier IMAP having set most of this up by working through 'Linux Email' by several authors including Patrick Koetter. My TLS certificate was built based on Chapter 13 of Kyle Dent's O'Reilly publication, 'Postfix - the definitive guide. It wouldn't surprise me if I've gotten into a muddle trying to work between these books and the readme files with Postfix itself!)
Did you test both of them?
postconf output follows: broken_sasl_auth_clients = yes mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 relay_clientcerts = hash:/etc/postfix/relay_ccerts smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Er, hello?!? If you want to use smtp auth you need to set this to "yes"!
smtpd_sasl_auth_enable = yes
Er yes! - see below
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_req_ccert = yes smtpd_use_tls = yes
The rest looks fine. If you are trying to use client certs, did you put the client cert on your phone? I don't remember seeing a line in the tls log where the client (your phone) is presenting a client certificate.
The phone has a PKCS12 format key and trusted certificate, the fingerprint of which is the only entry in relay_ccerts alongside my forename as user. This key-and-relay_ccerts-fingerprint set was generated by openssl but I'm hesitant about posting a key on this list.
If you can't get saslfinger to work, please show the output of the last line of this command (the capabilities of your server after a tls connection has been established and the ehlo command is invoked.
openssl s_client -starttls smtp -connect localhost:25
see below (sensitive info cut - hopefully!)
ehlo localhost
Please also post the content of /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
If you are trying to use client certificates for authentication please also post the content of /etc/postfix/relay_ccerts and verify that it is indeed the fingerprint of your client certificate.
depth=1 /C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk 1 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- Server certificate -----BEGIN CERTIFICATE----- MIIDVDCCAr2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVUsx ....................................... qIRGNhhaclu7lwdDEtpNP2skqcz5VLVVcgwb3eM4TJ01yXFx8ZD8Pw== -----END CERTIFICATE----- subject=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk issuer=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- Acceptable client certificate CA names /C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- SSL handshake has read 2500 bytes and written 383 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-A?6-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-A?6-SHA Session-ID: 8872A2FA0F712B2BC2CFA301BE17D648944093293F266D209236F36579B2718D Session-ID-ctx: Master-Key: 8D133580FA......................................345B932674871F1 Key-Arg : None Start Time: 1190157431 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250-General.DMJ-Consultancy.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME ehlo localhost 250-General.DMJ-Consultancy.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250 8BITMIME 500 Error: bad syntax Above was with smtpd_sasl_auth_enable = no Setting it to yes and reloading gives read:errno=32 to the openssl command above -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Hi,
I'm still trying to send email from my mobile phone through my Postfix (on SuSE 10.0) server. I believe I have a TLS connection set up and working but the server does not allow me to relay mail from my phone to external recipients. Copy of log for such an attempt follows:
[snip...]
Sep 17 19:09:49 General postfix/smtpd[19573]: SSL_accept:SSLv3 flush data Sep 17 19:09:49 General postfix/smtpd[19573]: TLS connection established from host212-183-132-39.uk.access.vodafone.net[212.183.132.39]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Okay, TLS seems to work. But TLS is NOT, I repeat NOT an authentication method! TLS merely provides an encrypted channel where you can exchange data between server and client without worrying who else is listening between.
Sep 17 19:09:52 General postfix/smtpd[19573]: NOQUEUE: reject: RCPT from host212-183-132-39.uk.access.vodafone.net[212.183.132.39]: 554 <Recipient@ntlworld.com>: Relay access denied; from=<Sender@DMJ-Consultancy.co.uk> to=<Recipient@ntlworld.com> proto=ESMTP helo=<[xxx.xxx.xxx.xxx]>
This indicates that no authentication has taken place. Please check first that your server actually offers authentication and then check the client (your phone), if it actually is configured with username/password to authenticate.
I am reluctant to put the vodafone.net IP subnet address (212.183.132.0/24) in mynetworks since I fear this could then open me to being a relay for that set of addresses. (the last octet is not always 39).
Very good! Yes, that would indeed make you an open relay for that network. Don't do that. Set up smtp auth on your server and client instead.
How can I allow mail with from=<?@DMJ-Consultancy.co.uk> to pass through my server from my phone?
(Bizarrely, if I send an email to myself from my phone, it gets relayed as one of the mydestination names.)
You don't use fully qualified names. Postfix will qualify it later. Usually you reject recipients/senders with non_fqdn_names.
(Phone = Nokia 9300i configured to use StartTLS when sending email)
Set up smtp auth on server and client. For further help please send the output of "saslfinger -s" of your Postfix box to the list. Patrick's Saslfinger is a script you can easily find. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
[snip]
For further help please send the output of "saslfinger -s" of your Postfix box to the list. Patrick's Saslfinger is a script you can easily find.
True, the script was easily found. However, running install gave the error: : bad interpreter: No such file or directory so I copied the files manually to the paths given (and chmoded them). 'man 1 saslfinger' works but 'saslfinger -s' gives the :bad interpreter error above. I hadn't bargained for debugging the debugging tool! Next stop - read the script and run manually. J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John schreef:
True, the script was easily found. However, running install gave the error:
: bad interpreter: No such file or directory
so I copied the files manually to the paths given (and chmoded them). 'man 1 saslfinger' works but 'saslfinger -s' gives the :bad interpreter error above. I hadn't bargained for debugging the debugging tool! Next stop - read the script and run manually.
What is the first line of the script you're trying to run? If it is something different from a bash (#!/bin/bash) or sh (#!/bin/sh) script, like perl, python or ruby (not to mention php) my guess would be that the interpreter has not been installed on your system, or in a directory different from that first line. -- Jos van Kan registered Linux user #152704 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jos van Kan wrote:
What is the first line of the script you're trying to run? If it is something different from a bash (#!/bin/bash) or sh (#!/bin/sh) script, like perl, python or ruby (not to mention php) my guess would be that the interpreter has not been installed on your system, or in a directory different from that first line.
First line is: #!/bin/bash (#!/bin/sh scripts work fine) J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Sandy Drobic wrote:
[snip]
For further help please send the output of "saslfinger -s" of your Postfix box to the list. Patrick's Saslfinger is a script you can easily find.
True, the script was easily found. However, running install gave the error:
: bad interpreter: No such file or directory
so I copied the files manually to the paths given (and chmoded them). 'man 1 saslfinger' works but 'saslfinger -s' gives the :bad interpreter error above. I hadn't bargained for debugging the debugging tool! Next stop - read the script and run manually.
The most probable explanation is a bad line break, the difference between windows and unix line feeds. View the file with the viewer of mc, then you should see the control characters. Either find a correct encoded version or convert your script with dos2unix, recode... I remember that it happened to me as well some years ago. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
The most probable explanation is a bad line break, the difference between windows and unix line feeds. View the file with the viewer of mc, then you should see the control characters. Either find a correct encoded version or convert your script with dos2unix, recode...
I remember that it happened to me as well some years ago.
Hi, Sandy, That'll teach me not to try and be lazy! Now that I've expanded the tar file properly with tar, I can attach the output from saslfinger! saslfinger - postfix Cyrus sasl configuration Tue Sep 18 23:56:06 BST 2007 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.2.5 System: Welcome to SUSE LINUX 10.0 (i586) - Kernel \r (\l). -- smtpd is linked to -- libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x400ed000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_req_ccert = yes smtpd_use_tls = yes -- listing of /usr/lib/sasl2 -- total 420 drwxr-xr-x 2 root root 752 Sep 20 2006 . drwxr-xr-x 84 root root 28320 Sep 18 20:06 .. -rwxr-xr-x 1 root root 13592 Sep 9 2005 libanonymous.so -rwxr-xr-x 1 root root 13592 Sep 9 2005 libanonymous.so.2 -rwxr-xr-x 1 root root 13592 Sep 9 2005 libanonymous.so.2.0.21 -rwxr-xr-x 1 root root 15796 Sep 9 2005 libcrammd5.so -rwxr-xr-x 1 root root 15796 Sep 9 2005 libcrammd5.so.2 -rwxr-xr-x 1 root root 15796 Sep 9 2005 libcrammd5.so.2.0.21 -rwxr-xr-x 1 root root 43416 Sep 9 2005 libdigestmd5.so -rwxr-xr-x 1 root root 43416 Sep 9 2005 libdigestmd5.so.2 -rwxr-xr-x 1 root root 43416 Sep 9 2005 libdigestmd5.so.2.0.21 -rwxr-xr-x 1 root root 14420 Sep 9 2005 liblogin.so -rwxr-xr-x 1 root root 14420 Sep 9 2005 liblogin.so.2 -rwxr-xr-x 1 root root 14420 Sep 9 2005 liblogin.so.2.0.21 -rwxr-xr-x 1 root root 14420 Sep 9 2005 libplain.so -rwxr-xr-x 1 root root 14420 Sep 9 2005 libplain.so.2 -rwxr-xr-x 1 root root 14420 Sep 9 2005 libplain.so.2.0.21 -rwxr-xr-x 1 root root 18756 Sep 9 2005 libsasldb.so -rwxr-xr-x 1 root root 18756 Sep 9 2005 libsasldb.so.2 -rwxr-xr-x 1 root root 18756 Sep 9 2005 libsasldb.so.2.0.21 -rw-r--r-- 1 root root 38 Jul 28 2006 slapd.conf -rw------- 1 root root 65 Sep 18 2006 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient procmail unix - n n - - pipe flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient} -- mechanisms on localhost -- -- end of saslfinger output -- J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
[snip]
Okay, TLS seems to work. But TLS is NOT, I repeat NOT an authentication method! TLS merely provides an encrypted channel where you can exchange data between server and client without worrying who else is listening between.
That's where the penny dropped - you might have heard it!! I've checked my SASL set up and found that it was not authenticating - I found a bogus character in the smtpd.conf file. Now that this character has been removed, SASL Authentication seems to be working and I have sent an email from my phone to an external recipient - objective achieved. Thanks to everyone who contributed to helping me on this J -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John wrote:
Sandy Drobic wrote:
[snip]
smtpd_helo_required = no Am I trying to flog the proverbial dead horse in getting my phone to be allowed to use my postfix server, then?
Possibly not.. (sorry about typo in original my-communicator address) you may have to configure the server to fit what the phone will work with... This thread from the my-symbian.com forums goes through some of the issues on the series 80 (9300i/9300/9500)... There other places where this is discussed... kind of a regular topic...
http://my-symbian.com/forum/viewtopic.php?t=20752&postdays=0&postorder=asc&start=10 The phone implementation of these thing is a little constrained...
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG8AX3asN0sSnLmgIRAgrZAJ0dNyekkwT3ZrJtdUZB4C6rLrD1mQCcDb6J 5qkhk26QDgjnxYbno0mVuYk= =ppVi -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John wrote:
Sandy Drobic wrote:
John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Postfix is not logging to /var/log/mail itself, instead it is sending all log notifications to syslog. In other words: you need to restart syslog.
You probably need to set up smtp auth for Postfix to allow relaying from your mobile phone. Most of these devices have pretty miserable options to configure smtp auth.
Please post the output of "postconf -n" , /etc/postfix/master.cf (without the comments) and the options that are available in your mobile phone for authentication.
Thanks, Sandy, Postfix is now logging. Where can I find its output to syslog?
As for its configuration, both files attached as requested. My Nokia 9300i supports SMTP auth. For additional information, it sends happily using my internal wireless network but not through my service provider's internet connection.
Have you set the mail account on the phone for roaming, for your phone service provider you should ideally use the SMTP server to your phone server providers mail relay server, not your own. You can associate SMTP server by connection on series 80 phones, so the GPRS connection can have a distinct relay to that of your home network. I have found that the GPRS IP addresses tend to be NAT configured behind a firewall, and your phone is on the wrong side of that firewall and it is quite likely that they may not be permitting you to directly access your mail server from their network for mail relaying purposes (check with your supplier). In fact some providers in the UK are a bit of a pain in what they will allow you to connect to. BTW A useful tool to find the actual IP address out on a series 80 phone is the free FTP server. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGgZ4NasN0sSnLmgIRAsZlAJ9cL47p2ZWKru987ohDaieMo10TCQCfXsPe WB5VmD6H3mvmYoAa+ZsrEgc= =UB/4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Any suggestions, please? rcsyslog status if it's not running, then: rcsyslog start
Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Any suggestions, please?
rcsyslog status if it's not running, then: rcsyslog start
Joe
Thanks, Joe! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John wrote:
Running SuSE 10.0 on my server, I'm trying to see why my mobile phone isn't allowed to relay through it. However, having tried to clean my log files to make finding the test section easier, I seem to have stopped the logging process. Two tries at postfix reload have not resolved the issue and after about an hour, mail, mail.err, mail.warn and mail.info all remain empty.
Any suggestions, please?
TIA
J
Which mobile phone? WiFi, Bluetooth, USB connection or via your provider (all possible here)? I have experience with Symbian OS and there are a few tricks to this. Windows, Treo or Blackberry are a different set of problems. Some more details would help? - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGgZR9asN0sSnLmgIRArsLAKCON2v2jdxAPaQ43t5Qt2rl61dqPwCfW2AB /PlxNXRCUeMPtDV98TKzYXU= =FPSY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R.
-
G T Smith
-
John
-
Jos van Kan
-
Sandy Drobic
-
Sloan