Home / server / Questions / 373246
Accepted
italiansoda
Asked: 2012-03-26 12:43:33 +0800 CST

Postfix, saslauthd, mysql, smtp authentication problems

  • 772

Trying to get authentication on my mail server (ubuntu 10.04) running but am having trouble. I have a server with postfix for smtp setup, imap server with courier setup. My postfix authentication is using cyrus (I haven't tried dovecot really) saslauth. The user name and password is stored in a MySql database. Logging in with imap-ssl works on a remote client (thunderbird), and I can read my mail. I can't get the SMTP side working, and have focused the issue down to saslauth.

Testing with 

testsaslauthd -u 'username' -p 'passowrd' -s smtp

returns 

connect() : Permission denied

the password in the database is encrypted and I guess this testsaslauthd will take a plain text password and encrypt it.

Looking for someone to walk me through getting this working. Im new to the mail server, and have never got one fully working. Thanks. Ask me which log files I should look at/post, which tests to run, permissions to check.

Edit: (3/26/2012) for more information I can't get any mail client to work, they give errors like

The message could not be sent because connecting to SMTP server <mydomain.com> failed. The server may be unavailable or is refusing SMTP connections

I have respective ports open on iptables, but i am guessing that it is an internal problem because of the test I ran above. I have also run telnet to mail.mydomain.com 25 and run ehlo localhost and get this in return

250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

EDIT: (3/28/2012 2:45pm)

~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mail.mydomain.co, localhost, localhost.localdomain
myhostname = mail.mydomain.co
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = no
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_uid_maps = static:5000

EDIT: Solved (3/29/2012) Thanks to both @AveryPane and @malloc4k for pointing me in the right direction. A few things I had to do, make sure that my MX records were in proper order. I used the tool intodns.com and also http://www.mxtoolbox.com for checking whether my server was accepting connections. Then using tail -f I watched my logs for any errors, was excited to see that there was actually something being logged once I got my DNS records straightened out, and tweaked some config files.

Two things that I didn't know about one of which was some ISPs block port 25, which might have been in my case why thunderbird wasn't seeing my server on port 25. Second in the file /etc/postfix/master.cf there are settings about which ports to allow postfix to listen on. The default port 25 is there the line

smtp      inet  n       -       -       -       -       smtpd

which basically says hi im postfix, I run on port 25. If you want to run postfix on another port, 587 which is popular for mail servers, add this line near there in master.cf

587      inet  n       -       -       -       -       smtpd

run a restart /etc/init.d/postfix restart and you should be set. That was the solution for me.

mysql smtp postfix saslauthd

2 Answers

  1. Best Answer

    Looking for someone to walk me through getting this working. Im new to the mail server, and have never got one fully working.

    Welcome to E-mail hell, my friend. You're in good company. First, if you are really serious about running an email server, you'll want to study up. E-mail is like most utility services - taken for granted, but no-one wants to think about the effort involved to make it work. I'd recommend the excellent (and thankfully brief) O'Reilly book Postfix: The Definitive Guide, which is an excellent source of information on getting Postfix running.

    I'd also take the time to read up on some basic "rules of the game", as a lot of the global E-mail system is basically a bunch of gentlemen's agreements to not stomp on each others deliveries. Sure, you could wade through thick mounds of documents like RFC 2142 and others, but I think we can condense this down to a few simple rules:

    • Be a responsible admin. That means having a functional [email protected] address, and a [email protected] that actually goes to something other than a bit bucket. Sending these off to /dev/null is another great way to land on a blacklist. After all, who wants to deal with someone that won't listen to others about the issues they are making?
    • You are now part of a community. That means you will run into other admins that have done things, erm, differently and will have different opinions on how to get things done. As long as they are sensible or have reasons for it, just relax and listen.
    • In this community, you are responsible for your own server. If others catch you doing unbecoming things (like being a spam open relay - more on that in a moment) you will be blacklisted in short order. Do your best to do the right thing.
    • Running your own server means that you have devoted YOUR resources to it. Do NOT be swayed by spammers (posing as "email marketers") telling you they have a right to do whatever they want with your resources. I've often heard this in the form of "but-but-but it's not your decision, it's the recipient's decision and you should let my email through". Your response should always be, "it is my decision, it is my server, and you are now a faded memory on my blacklist."
    • Other servers are not your resources to use; you use them from the kindness and consideration of others. Be kind to other admins and keep in mind the "golden rule" with regard to sending large volumes of email to their servers. Would you like it if someone forwarded an email message to 2,000 different mailboxes on your server, tying up delivery for several minutes?
    • After you have everything set up and running for awhile, go back and check your logs periodically. Yes, those THOUSANDS OF ENTRIES PER HOUR are spammers trying to either (a) deliver their pork by-product to your INBOX or (b) use you as a springboard to deliver it to someone else. Which leads us to...
    • Spammers will shift tactics every few months. Usually a small adjustment in your anti-spam settings will suffice to make the nuisance go away.
    • Do not, for the love of ${DIETY}, run an open relay on the public side of the internet. The concept of an open relay, i.e. a machine that takes email from anyone and delivers it to anywhere, is a relic from ye olde days of yore, when the Internet was a kinder, gentler place. In today's times, spammers WILL find you, they WILL turn your machine into their very own personal E-mail machine gun, and they WILL end up slandering your good name in the process.
    • You'll run into admins that don't care about their servers, and like a defensive driver looks for other (stupid) drivers on the road, you'll need to look out for them.
    • Bad admins usually configure bad servers. There are commercial providers out there that just want to make a quick buck, and they don't care what happens to everyone else when they "dain-bramage" their servers. This means you will run into servers that do stupid things, and some admin will get on the phone with you and want to swap spit over why it's "your problem" and not theirs. Double-check your server and make sure it really isn't you, then politely inform them of their error with a clue-by-four...

    There's much, much more, but those basic things should get you pointed in the right direction.

    I can't get any mail client to work,

    With regard to the "client can't send" portion of your question, the issue is related to the domains you accept email for. Specifically, your post mentions:

    mydestination =
myhostname = my.domain.com

    Both of those are incorrect. Look here to set the mydestination parameter, and here for the myhostname parameter. Those two parameters basically tell postfix what it will accept for delivery, based on what is on the right-half of the To: email address. Having them set to nothing and my.domain.com means it will only accept delivery for my.domain.com but it still won't deliver it because mydestination is blank. I could be wrong, but I don't think that is what you were wanting.

    • 5

  2. Problem may be in Your Cyrus settings or in PAM settings ( probably Cyrus SASL uses PAM to communicate with MySQL in Your setup ).

    I advise You two things:

    1. Go carefully through adequate section in Postfix documentation: SASL_README

    2. Check Your /var/log/auth.log

    • 0