Postfix SMTP authentication
I've installed the Discourse Linode and am trying to get SMTP working so that I can complete the installation. I got the SMTP restrictions lifted and installed Postfix and Dovecot. The set-up is as follows:
- The domain is discourse.example.com
- Mail for discourse.example.com is hosted by Mythic Beasts (smtp-auth.mythic-beasts.com)
The Postfix configuration is based on these two tutorials:
https://devanswers.co/postfix-external-smtp-server/
https://devanswers.co/postfix-statusbounced-unknown-user-user/
The second article stops Postfix trying to relay the emails locally. When I sent a test email Postfix now tries to relay the email via smtp-auth.mythic-beasts.com but the server refuses to relay the email because no authentication is used:
Oct 25 13:51:08 discourse postfix/smtp[320583]: 1747D82664: to=<mail@discourse.example.com>, relay=smtp-auth.mythic-beasts.com[2a00:1098:0:82:1000:0:2:1]:587, delay=0.3, delays=0.02/0.02/0.25/0, dsn=5.0.0, status=bounced (host smtp-auth.mythic-beasts.com[2a00:1098:0:82:1000:0:2:1] said: 550 Please authenticate yourself first (in reply to MAIL FROM command))
I tried configuring Dovecot SASL using these instructions:
http://www.postfix.org/SASL_README.html#server_sasl
http://www.postfix.org/SASL_README.html#server_sasl_enable
That hasn't done the trick - I'm still seeing the same error. I feel I'm close, but I'm a bit out of my depth here. Does anyone have any pointers?
For info, this is my current /etc/postfix/main.cf file:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
relayhost = smtp-auth.mythic-beasts.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
This is the service auth
block in /etc/dovecot/conf.d/10-master.conf:
service auth {
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
And this are the authentication methods in /etc/dovecot/conf.d/10-auth.conf:
auth_mechanisms = plain login
3 Replies
You need to acquire your own certificate and use it. I use a Let's Encrypt cert so chain.pem is the cert of the certificate authority (these are the relevant excerpts):
# Use the Let's Encrypt SSL certificate
#
smtp_tls_security_level = encrypt
smtp_tls_cert_file=/usr/local/etc/letsencrypt/live/mydomain.com/cert.pem
smtp_tls_key_file=/usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem
smtp_tls_CAfile=/usr/local/etc/letsencrypt/live/mydomain.com/chain.pem
#
smtpd_tls_cert_file=/usr/local/etc/letsencrypt/live/mydomain.com/cert.pem
smtpd_tls_key_file=/usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem
smtpd_tls_CAfile=/usr/local/etc/letsencrypt/live/mydomain.com/chain.pem
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
# Enabling SMTP for authenticated users, and handing off authentication
# to Dovecot
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
The file path to your cert will be will be different. Use whatever Let's Encrypt tells you to use.
Similarly, in dovecot(1), you need to tell it to use your Let's Encrypt cert as well. In /etc/dovecot/conf.d/10-ssl.conf (relevant excerpts):
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
ssl_cert = </usr/local/etc/letsencrypt/live/mydomain.com/cert.pem
ssl_key = </usr/local/etc/letsencrypt/live/mydomain.com/privkey.pem
ssl_ca = </usr/local/etc/letsencrypt/live/mydomain.com/chain.pem
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
#ssl_dh = </usr/share/dovecot/dh.pem
ssl_dh = </srv/mail/etc/conf/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1.2
Also for dovecot(1), you'll want to set up how your users connect to it in /etc/dovecot/conf.d/10-auth.conf. Here's mine as an example:
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
default_vsz_limit = 0
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
port = 143
address = 127.0.0.1 ::1
ssl = no
}
inet_listener imaps {
port = 993
ssl = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = 64M
}
service pop3-login {
inet_listener pop3 {
#port = 110
port = 0
}
inet_listener pop3s {
#port = 995
port = 0
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0666
user = postfix
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = 256M
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# auth_socket_path points to this userdb socket by default. It's typically
# used by dovecot-lda, doveadm, possibly imap process, etc. Its default
# permissions make it readable only by root, but you may need to relax these
# permissions. Users that have access to this socket are able to get a list
# of all usernames and get results of everyone's userdb lookups.
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = maildrop
}
unix_listener auth-userdb {
mode = 0600
user = postfix
group = maildrop
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
# Auth process is run as this user.
#user = $default_internal_user
user = dovecot
}
auth_mechanisms = login plain
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
user = postfix
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
postfix uses LMTP to communicate with dovecot. This is on a local-domain socket so no encryption/security is required.
I have pop3 and pop3s (ports 110 & 995 respectively) disabled. I have imap (port 143) enabled for localhost only (not using SSL…this is for something that is unique to me) and imaps (port 993) enabled.
You'll have to finagle with the paths to the cert files, paths to sockets, user/group names, etc. Obviously, my system is different than yours but this should get you started. You're going to be engaged in some trial and error here…
This may be overkill for you because my customers using postfix/dovecot for email service on their laptops/phones/etc. That may not be the case for you so some of this may not apply. You'll have to decide what is relevant to you.
-- sw
Many thanks for the detailed answer. I've fixed the SSL certificate settings but I'm still fiddling with the other configuration files. I'll post the configuration should I ever figure this one out…
If you increase the value of:
smtpd_tls_loglevel = 1
and set up some of the following stuff in /etc/dovecot/conf.d/10-logging.conf you can get more detailed information in the mail log about what's going on and why:
# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = no
#auth_verbose = yes
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = no
#auth_debug = yes
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
auth_debug_passwords = no
#auth_debug_passwords = yes
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = no
#mail_debug = yes
# Show protocol level SSL errors.
verbose_ssl = no
#verbose_ssl = yes
You'll want to be sure that you turn a lot of this off and delete old log files when your system goes into production. It logs sensitive information about passwords and keys.
-- sw