I have one host (rhea) where I have installed a postfix to relay the emails from my home server (tronics24), which is on a DSL connection.
I have generated self-signed certificates: (on rhea)
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
I have tested the certificates:
root@rhea:~# openssl s_client -showcerts -cert /etc/ssl/certs/smtpd.crt -key /etc/ssl/private/smtpd.key -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect localhost:25
To which postfix replies (/var/log/mail.log):
Apr 26 02:44:36 rhea postfix/smtpd[28778]: connect from localhost[127.0.0.1]
Apr 26 02:44:36 rhea postfix/smtpd[28778]: setting up TLS connection from localhost[127.0.0.1]
Apr 26 02:44:37 rhea postfix/smtpd[28778]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
I have tested SASL authorization:
root@rhea:~# testsaslauthd -u <my-user> -p <my-pass>
0: OK "Success."
Up to here everything looks fine. Now I try to connect from my home server. First, I generate the authentication string:
printf '<my-user>\0<my-user>\0<my-pass>' | mmencode
dummydummy...==
myuser@tronics24 ~ » openssl s_client -starttls smtp -host rhea.<my-domain>.net -port 25
...
250 DSN
ehlo localhost
250-<mydomain>.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dummydummy
535 5.7.8 Error: authentication failed: another step is needed in authentication
Postfix in rhea is telling me the same thing:
Apr 26 02:17:10 rhea postfix/smtpd[11085]: connect from ip-82-143-145-145.myispdomain.com[82.143.145.145]
Apr 26 02:17:10 rhea postfix/smtpd[11085]: setting up TLS connection from ip-82-143-145-145.myispdomain.com[82.143.145.145]
Apr 26 02:17:10 rhea postfix/smtpd[11085]: Anonymous TLS connection established from ip-82-143-145-145.myispdomain.com[82.143.145.145]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 26 02:17:19 rhea postfix/smtpd[11085]: warning: ip-82-143-145-145.myispdomain.com[82.143.145.145]: SASL PLAIN authentication failed: another step is needed in authentication
Apr 26 02:17:35 rhea postfix/smtpd[11085]: lost connection after AUTH from ip-82-143-145-145.myispdomain.com[82.143.145.145]
Apr 26 02:17:35 rhea postfix/smtpd[11085]: disconnect from ip-82-143-145-145.myispdomain.com[82.143.145.145]
I am very confused about this, and do not know what else to look for. Do you have any idea what else should I verify?
EDIT
As requested, I am posting the postfix configuration:
# Let's check the postconf configuration
root@rhea:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = rhea.<my-domain>.net, localhost.<my-domain>.net, localhost
myhostname = rhea.<my-domain>.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 82.143.145.145
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
The output of postconf -a:
root@rhea:~# postconf -a
cyrus
dovecot
This is the output of saslfinger -s:
root@rhea:~# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Apr 26 10:34:57 CEST 2012
version: 1.0.4
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.5.1
System: Ubuntu 8.04.4 LTS (server)
Linux rhea.<my-domain>.net 2.6.32.2-xxxx-grs-ipv4-32 #1 SMP Tue Dec 29 14:41:18 UTC 2009 i686 GNU/Linux
server : rps
ip : 178.52.127.32
hostname : rhea.<my-domain>.net
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7593000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
-- listing of /usr/lib/sasl2 --
total 716
drwxr-xr-x 2 root root 4096 2011-06-28 10:21 .
drwxr-xr-x 70 root root 36864 2011-06-22 17:30 ..
-rw-r--r-- 1 root root 13568 2009-06-23 21:14 libanonymous.a
-rw-r--r-- 1 root root 862 2009-06-23 21:14 libanonymous.la
-rw-r--r-- 1 root root 12984 2009-06-23 21:14 libanonymous.so
-rw-r--r-- 1 root root 12984 2009-06-23 21:14 libanonymous.so.2
-rw-r--r-- 1 root root 12984 2009-06-23 21:14 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15834 2009-06-23 21:14 libcrammd5.a
-rw-r--r-- 1 root root 848 2009-06-23 21:14 libcrammd5.la
-rw-r--r-- 1 root root 15320 2009-06-23 21:14 libcrammd5.so
-rw-r--r-- 1 root root 15320 2009-06-23 21:14 libcrammd5.so.2
-rw-r--r-- 1 root root 15320 2009-06-23 21:14 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46332 2009-06-23 21:14 libdigestmd5.a
-rw-r--r-- 1 root root 871 2009-06-23 21:14 libdigestmd5.la
-rw-r--r-- 1 root root 43020 2009-06-23 21:14 libdigestmd5.so
-rw-r--r-- 1 root root 43020 2009-06-23 21:14 libdigestmd5.so.2
-rw-r--r-- 1 root root 43020 2009-06-23 21:14 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13574 2009-06-23 21:14 liblogin.a
-rw-r--r-- 1 root root 842 2009-06-23 21:14 liblogin.la
-rw-r--r-- 1 root root 13268 2009-06-23 21:14 liblogin.so
-rw-r--r-- 1 root root 13268 2009-06-23 21:14 liblogin.so.2
-rw-r--r-- 1 root root 13268 2009-06-23 21:14 liblogin.so.2.0.22
-rw-r--r-- 1 root root 30016 2009-06-23 21:14 libntlm.a
-rw-r--r-- 1 root root 836 2009-06-23 21:14 libntlm.la
-rw-r--r-- 1 root root 29236 2009-06-23 21:14 libntlm.so
-rw-r--r-- 1 root root 29236 2009-06-23 21:14 libntlm.so.2
-rw-r--r-- 1 root root 29236 2009-06-23 21:14 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13798 2009-06-23 21:14 libplain.a
-rw-r--r-- 1 root root 842 2009-06-23 21:14 libplain.la
-rw-r--r-- 1 root root 13396 2009-06-23 21:14 libplain.so
-rw-r--r-- 1 root root 13396 2009-06-23 21:14 libplain.so.2
-rw-r--r-- 1 root root 13396 2009-06-23 21:14 libplain.so.2.0.22
-rw-r--r-- 1 root root 22126 2009-06-23 21:14 libsasldb.a
-rw-r--r-- 1 root root 873 2009-06-23 21:14 libsasldb.la
-rw-r--r-- 1 root root 18080 2009-06-23 21:14 libsasldb.so
-rw-r--r-- 1 root root 18080 2009-06-23 21:14 libsasldb.so.2
-rw-r--r-- 1 root root 18080 2009-06-23 21:14 libsasldb.so.2.0.22
-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 2011-07-01 11:19 .
drwxr-xr-x 3 root root 4096 2012-04-26 10:10 ..
-rw-r--r-- 1 root root 50 2011-07-01 11:19 smtpd.conf
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
smtps inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
-- end of saslfinger output --
To relay mail from a client, use submission, not plain SMTP.
You should configure postfix to reject submission on port 25 (port 25 is only for MTA <-> MTA relay).
See the commented submission example in master.cf for details; clients should connect to port 587 (submission) using STARTTLS and LOGIN authentication.
All other mail may be rejected on submission, i.e. you set
on the submission listener.
Then test with an actual client.