Postfix and authentication problem

UNIX for Advanced & Expert Users
1

Hi,
I've Postfix 2.5.1 mail server on Ubuntu 8.04. Recently, I got a new SMTP relay service to send out my mails. But for some reason every time I try to send mail I get this error:
(host relay.somehost.com[<ip_address_hidden>] said: 550 5.7.1 <testmail@hotmail.com>... Relaying denied. Proper authentication required. (in reply to RCPT TO command))

Here is my postconf output:
-------------------------------------------------------------------------------
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mydestination = mydomain.com
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relayhost = [relay.somehost.com]:940
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_helo_restrictions = permit_mynetworks, reject_unknown_client, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, permit

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_client, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unknown_recipient_domain, permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options =
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
-------------------------------------------------------------------------------
My sasl_passwd has the relay host with username and password. And I used postmap to make a db file of it.
Also, I tried this method to make sure that my user and pass are working:
perl -MMIME::Base64 -e 'print encode_base64("\000myuser\000mypass")'
And then tested with usual telnet method. It works. So the problem has to be with Postfix.

Any suggestions? Is there a way to do a higher level debug of Postfix.

Thanks in advance,
Nitin

2

Run saslfinger -c and show output: saslfinger - debugging SMTP AUTH in Postfix

Also, show postconf -n output, not your entire postconf file.

3

Thanks for the reply. The above post is my postconf -n output. Also, I did run saslfinger -c .. I didn't get any errors.
Here is the output of saslfinger:
--------------------------------------------
root@myhost:~# saslfinger -c
sasl��बर 20 15:29:41 EDT 2008figuration स�म �
version: 1.0.4
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Ubuntu 8.04.1 \n \l

-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7dbe000)

-- active SMTP AUTH and TLS parameters for smtp --
relayhost = [relay.******t.com]:26
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

-- listing of /usr/lib/sasl2 --
total 847
drwxr-xr-x 2 root root 1472 2008-10-18 02:40 .
drwxr-xr-x 176 root root 47144 2008-10-19 19:50 ..
-rw-r--r-- 1 root root 13568 2008-04-09 17:50 libanonymous.a
-rw-r--r-- 1 root root 862 2008-04-09 17:49 libanonymous.la
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so.2
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15834 2008-04-09 17:50 libcrammd5.a
-rw-r--r-- 1 root root 848 2008-04-09 17:49 libcrammd5.la
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so.2
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46332 2008-04-09 17:50 libdigestmd5.a
-rw-r--r-- 1 root root 871 2008-04-09 17:49 libdigestmd5.la
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 26608 2008-04-09 22:15 libgssapiv2.a
-rw-r--r-- 1 root root 1025 2008-04-09 22:14 libgssapiv2.la
-rw-r--r-- 1 root root 25260 2008-04-09 22:15 libgssapiv2.so
-rw-r--r-- 1 root root 25260 2008-04-09 22:15 libgssapiv2.so.2
-rw-r--r-- 1 root root 25260 2008-04-09 22:15 libgssapiv2.so.2.0.22
-rw-r--r-- 1 root root 13574 2008-04-09 17:50 liblogin.a
-rw-r--r-- 1 root root 842 2008-04-09 17:49 liblogin.la
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so.2
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so.2.0.22
-rw-r--r-- 1 root root 30016 2008-04-09 17:50 libntlm.a
-rw-r--r-- 1 root root 836 2008-04-09 17:49 libntlm.la
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so.2
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13798 2008-04-09 17:50 libplain.a
-rw-r--r-- 1 root root 842 2008-04-09 17:49 libplain.la
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so.2
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so.2.0.22
-rw-r--r-- 1 root root 22126 2008-04-09 17:50 libsasldb.a
-rw-r--r-- 1 root root 873 2008-04-09 17:49 libsasldb.la
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so.2
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so.2.0.22
-rw-r----- 1 root root 701 2008-09-16 12:12 saslpasswd.conf
-rw-r----- 1 smmta smmsp 885 2008-09-16 12:12 Sendmail.conf

-- listing of /etc/postfix/sasl --
total 8
drwxr-xr-x 2 root root 112 2008-10-18 02:34 .
drwxr-xr-x 3 root root 448 2008-10-18 02:52 ..
-rw-r--r-- 1 root root 71 2008-10-18 02:34 OLDsmptd.conf
-rw-r--r-- 1 root root 68 2008-10-18 02:34 smtpd.conf

-- permissions for /etc/postfix/sasl_passwd --
-rw------- 1 root root 85 2008-10-17 16:36 /etc/postfix/sasl_passwd

-- permissions for /etc/postfix/sasl_passwd.db --
-rw------- 1 root root 12288 2008-10-17 16:36 /etc/postfix/sasl_passwd.db

/etc/postfix/sasl_passwd.db is up to date.

-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
-o content_filter=spamassassin:dummy
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

-- mechanisms on relay.******t.com --

-- end of saslfinger output --

4

What is the output of :

$ telnet relay.******t.com 26

where you use the actual name of the relay host you've blanked out.

5

I shouldn't be so paranoid.. :slight_smile:

The telnet works, here is the output:

telnet relay.dnsexit.com 26
Trying 64.182.102.185...
Connected to relay.dnsexit.com.
Escape character is '^]'.
220 box7.911domain.com ESMTP Sendmail

Also, I checked to see if my user/pass work:

perl -MMIME::Base64 -e 'print encode_base64("\000username\000password")'

Using above perl command, I got a hash something like this:
***7QWERTYasdYWFk**
I tested that to make sure I get authenticated against the same relay server:

telnet relay.dnsexit.com 26
Trying 64.182.102.185...
Connected to relay.dnsexit.com.
Escape character is '^]'.
220 box7.911domain.com ESMTP Sendmail 
ehlo testing
250-box7.911domain.com Hello some.****.com [**.**.134.71], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 20000000
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH PLAIN ***7QWERTYasdYWFk**
235 2.0.0 OK Authenticated
quit
221 2.0.0 box7.911domain.com closing connection

I guess it has to be Postfix. It's just not bringing up SASL to authenticate. Is there a way to debug that?

Thanks again.
Nitin

6

Ok, good, we were looking for the lines:

250-AUTH LOGIN PLAIN
250-STARTTLS

Now, check that what is on the LHS of your smtp_sasl_password_maps file (hash:/etc/postfix/sasl_passwd) matches exactly the value you have for relayhost = (eg. [relay.******t.com]:26).

7

Also, I just noticed you don't have SASL enabled for the SMTP client:

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
8

I checked the main.cf again and restarted Postfix.
Here is the postconf output again:

postconf -n | grep -i _sasl_
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

Here is the sasl_passwd file contents:

# sasl_passwd
# Syntax:
# domain        username:password
relay.dnsexit.com       username:password

Do I need to put [relay.dnsexit.com]:26 in the sasl_passwd?

9

smtpd_* is for receiving, not sending. You need the smtp (without the trailing d) client parameters.

10

Oh my ................
It worked. It was smtp_sasl_auth...
That was .. lame on my part.... :o

Thanks again MrC. You rock! :b:

-Nitin :slight_smile:

11

Cheers!