Postfix SMTP not accepting authentication
I am working on setting up a mail server using Dovecot and Postfix on Debian Squeeze. So far I am able to connect to secure IMAP via Dovecot, and I am able to receive emails. However, I am unable to get Postfix to accept authentication for SMTP. My email client at home can make the connection initially, but then complains that the server doesn't support authentication and refuses to send messages.
Here are the lines that show up in /var/log/mail.log when I try to send to send a message (my IP is replaced for security):
Aug 31 18:55:23 li283-45 postfix/smtpd[29732]: connect from pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
Aug 31 18:55:34 li283-45 postfix/smtpd[29732]: lost connection after AUTH from pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
Aug 31 18:55:34 li283-45 postfix/smtpd[29732]: disconnect from pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
I've tried doing a google search, and everything suggested stuff with my sasl settings in main.cf, none of which worked (though I did apt-get install all the needed sasl packages). My current /etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.cert
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = www.youdolinux.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = mail/
myorigin = youdolinux.com
mydestination = $myhostname, localhost.$mydomain, localhost, youdolinux.com, www.youdolinux.com, mail.youdolinux.com
#relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# SASL SUPPORT
smtpd_sasl_auth_enabled = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
mailbox_command = /usr/bin/procmail
17 Replies
Follow the steps outlined here
Thanks!
(Depending on how you're sending the mails, you may need to add the -v switch to the 'smtp' entry instead.)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: connection established
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: master_notify: status 0
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: name_mask: resource
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: name_mask: software
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: connect from pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostname: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net ~? 127.0.0.0/8
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostaddr: XXX.XXX.XXX.XXX ~? 127.0.0.0/8
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostname: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net ~? 66.228.33.0/24
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostaddr: XXX.XXX.XXX.XXX ~? 66.228.33.0/24
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr request = connect
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr ident = submission:XXX.XXX.XXX.XXX
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: 0
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: count
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: count
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: 1
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: rate
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: rate
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: 1
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: (list terminator)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: (end)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 220 www.youdolinux.com ESMTP Postfix (Debian/GNU)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: < pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: EHLO debian.home
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-www.youdolinux.com
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-PIPELINING
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-SIZE 10240000
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-VRFY
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-ETRN
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-STARTTLS
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-ENHANCEDSTATUSCODES
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-8BITMIME
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250 DSN
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: < pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: STARTTLS
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 220 2.0.0 Ready to start TLS
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: auto_clnt_open: connected to private/tlsmgr
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr request = seed
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr size = 32
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/tlsmgr: wanted attribute: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: 0
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/tlsmgr: wanted attribute: seed
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: seed
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: FNcLU9CMD+K8kBAspGHrw+GhgwdozRyg0S3MmAmwBGE=
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/tlsmgr: wanted attribute: (list terminator)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: (end)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: < pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: EHLO debian.home
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-www.youdolinux.com
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-PIPELINING
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-SIZE 10240000
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-VRFY
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-74-111-178-159.pitbpa.fios.verizon.net[74.111.178.159]: 250-ETRN
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-ENHANCEDSTATUSCODES
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250-8BITMIME
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 250 DSN
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: < pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: AUTH PLAIN <snip>==
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: > pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: 503 5.5.1 Error: authentication not enabled
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: smtp_get: EOF
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostname: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net ~? 127.0.0.0/8
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostaddr: XXX.XXX.XXX.XXX ~? 127.0.0.0/8
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostname: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net ~? 66.228.33.0/24
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_hostaddr: XXX.XXX.XXX.XXX ~? 66.228.33.0/24
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: match_list_match: XXX.XXX.XXX.XXX: no match
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr request = disconnect
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: send attr ident = submission:XXX.XXX.XXX.XXX
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: status
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute value: 0
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: private/anvil: wanted attribute: (list terminator)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: input attribute name: (end)
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: lost connection after AUTH from pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: disconnect from pool-74-111-178-159.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: master_notify: status 1
Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: connection closed
Sep 5 12:11:24 li283-45 postfix/smtpd[23608]: auto_clnt_close: disconnect private/tlsmgr stream</snip>
There are a few references to a match list. Is this related to the "smtpdrecipientrestrictions" option near the end of my config? I want it to permit authenticated, which is there, but I can't authenticate.
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
This file exists, along with a bunch of other postfix stuff under /var/spool/postfix:
root@li283-45:~# ls /var/spool/postfix/
active bounce corrupt defer deferred dev etc flush hold incoming lib maildrop pid private public saved trace usr var
root@li283-45:~# ls /var/spool/postfix/private/
anvil bounce defer error lmtp maildrop proxymap relay rewrite scalemail-backend tlsmgr uucp virtual
auth bsmtp discard ifmail local mailman proxywrite retry scache smtp trace verify
root@li283-45:~# ls /var/spool/postfix/private/auth
/var/spool/postfix/private/auth
I have both a user and a group called postfix.
What needs to be listening? Postfix and Dovecot both seem to be listening.
> Sep 5 12:11:19 li283-45 postfix/smtpd[23608]: < pool-XXX-XXX-XXX-XXX.pitbpa.fios.verizon.net[XXX.XXX.XXX.XXX]: AUTH PLAIN
as it contains your login info.
@Piki:
derfy: I don't see my login info in that line?
derfy is correct. heck, even scrappy probably knows there's a base64 encoded string (with your username and password) on that line.
Post the output of
# postconf -n
Here's the output:
root@li283-45:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = mail/
inet_interfaces = all
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, youdolinux.com, www.youdolinux.com, mail.youdolinux.com
myhostname = www.youdolinux.com
myorigin = youdolinux.com
readme_directory = no
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.cert
smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = hash:/etc/postfix/virtual
1. postconf -n doesn't reflect auth –- where is your "smtpdsaslauth_enabled = yes"? Postfix indicates that is not currently configured. Check your syntax, restart postfix and re-check with postconf -n again.
2. smtpdrecipientrestrictions -- you need to add "rejectunauthdestination" at the end of this configuration. Remove the deprecated "checkrelaydomains" and replace it with "rejectunauthdestination".
Postfix isn't going to support auth without these.
Additionally, you may want to add "brokensaslauth_clients = yes" as an SASL option if you'll be using Outlook Express and/or certain versions of Exchange.
Make those changes and test. If it still fails, post another copy of your postconf -n output. Alternatively you might want to use saslfinger to help you troubleshoot -- you'll want to test server-side with the -s argument:
"smtpdsaslauth_enabled = yes" is in main.conf, and I've already restarted Postfix several times with that enabled, but it isn't showing that in "postconf -n":
root@li283-45:~# postconf -n | grep smtpd_sasl_auth_enabled
root@li283-45:~# cat /etc/postfix/main.cf | grep smtpd_sasl_auth_enabled
smtpd_sasl_auth_enabled = yes
root@li283-45:~#
Here is a post of main.conf the way it is now (replace checkrelaydomains with rejectunauthdestination):
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.cert
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = www.youdolinux.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
home_mailbox = mail/
myorigin = youdolinux.com
mydestination = $myhostname, localhost.$mydomain, localhost, youdolinux.com, www.youdolinux.com, mail.youdolinux.com
#relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# SASL SUPPORT
smtpd_sasl_auth_enabled = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mailbox_command = /usr/bin/procmail
"postconf -n" (after restarting postfix for the change above to take effect):
root@li283-45:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = mail/
inet_interfaces = all
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, youdolinux.com, www.youdolinux.com, mail.youdolinux.com
myhostname = www.youdolinux.com
myorigin = youdolinux.com
readme_directory = no
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.cert
smtpd_tls_key_file = /etc/postfix/ssl/smtp.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = hash:/etc/postfix/virtual
smtpdsaslauth_enable = yes
take the 'd' off the word 'enabled' to make it 'enable' and restart postfix and test with 'postconf -n' again. If it's still not working, check what shared libraries your smtpd binary are linked against:
ldd /usr/libexec/postfix/smtpd
and post the output.
Using the past tense of "enable" was the issue. I'm able to authenticate via SMTP now. Gotta love those typos
Thanks for the help!