I built a server using ami-c0ee06a9 and was seeing errors attributed to authdaemond.
mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: SQL query: SELECT id, crypt, "", uid, gid, home, contact(home,'/',maildir), "", name, "" FROM users WHERE id = 'packard' AND (enabled=1)
mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: mysql_query failed, reconnecting: FUNCTION maildb.contact does not exist
mail.log.1:Apr 21 17:02:56 ip-10-212-82-179 authdaemond: mysql_query failed second time, giving up: FUNCTION maildb.contact does not exist
I traced the problem to /etc/courier/authmysqlrc.
Original: MYSQL_MAILDIR_FIELD contact(home,'/',maildir)
Correction: MYSQL_MAILDIR_FIELD CONCAT(home,'/',maildir)
I guess this was noticed/posted about on page 30. Sorry for the duplicate info.
Last edited by spackard; April 26th, 2011 at 01:08 AM.
Has anyone figured out an elegant solution to the problem outlined by Ontolog and oziemike a few pages back that isn't reverting to storing plaintext passwords and dropping down to PLAIN and LOGIN auth methods?
I found myself running into the same issues when trying to negotiate an authorized login via any method that was not LOGIN. For example, trying to login through roundcube:There is a pretty major problem with the way MySQL's ENCRYPT() function is being used in conjunction with the mail server setups. Actually I had to revert to using the plaintext password for both Postfix and Courier. In the case of Postfix I also had to restrict the AUTH types to 'LOGIN' because programs that were using CRAM-MD5 were failing authentication. One major problem here is that ENCRYPT is using whatever the OS's low-level crypt() is which can be anything. Furthermore since we are not supplying any salt, the salt is random! So now we can't reproduce the crypted string since we don't know the salt.
Also, when trying to send a mass e-mail through my phpBB3 setup with any auth method other than LOGIN, I get:Code:Jun 14 01:59:03 authdaemond: received auth request, service=imap, authtype=cram-md5 Jun 14 01:59:03 authdaemond: authmysql: trying this module Jun 14 01:59:03 authdaemond: cram: challenge=PDczQTVGNEI0NjI2NkVBQjE3NTQxMjY4QzYwMEFFQTRBQHNtdHAuZHJ1bmtiYWJpZXMuY29tPg==, response=Zm9ydW1zQGRydW5rYmFiaWVzLmNvbSBiNGVhOGI5ZThlMzdjMDE3NjAxOWUxOTIyZGRjZTM5Nw== Jun 14 01:59:03 authdaemond: cram: decoded challenge/response, username 'forums@xxxxx.com' Jun 14 01:59:03 authdaemond: authmysqllib: connected. Versions: header 50137, client 50141, server 50141 Jun 14 01:59:03 authdaemond: SQL query: SELECT id, crypt, "", uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE id = 'forums@xxxx.com' AND (enabled=1 ) Jun 14 01:59:03 authdaemond: authmysql: REJECT - try next module Jun 14 01:59:03 authdaemond: FAIL, all modules rejected Jun 14 01:59:03 imapd-ssl: LOGIN FAILED, method=CRAM-MD5, ip=[::1] Jun 14 01:59:08 imapd-ssl: Disconnected, ip=[::1], time=5, starttls=1
I must say, I'm a little disappointed that:Code:Jun 14 02:09:41 postfix/smtpd[1985]: connect from xxxxx.com[127.0.1.1] Jun 14 02:09:41 postfix/smtpd[1985]: warning: SASL authentication failure: no secret in database Jun 14 02:09:41 postfix/smtpd[1985]: warning: xxxx.com[127.0.1.1]: SASL CRAM-MD5 authentication failed: authentication failure Jun 14 02:09:41 postfix/smtpd[1985]: lost connection after AUTH from xxxxx.com[127.0.1.1] Jun 14 02:09:41 postfix/smtpd[1985]: disconnect from xxxx.com[127.0.1.1]
1) the problems were brought up ~10 pages ago and kind of faded away with out any more dialogue about them
2) I spent the better part of 4 days scouring my configuration and setup thinking I did something wrong and just stumbled on those tidbits... haha.
Thoughts?
*Edit: As an edit, I just wanted to reiterate that, although not a newcomer to computing in any facet, I'm very new to ubuntu and mailservers in general so I wanted to ensure that my server and it's users would be free from possible malicious activity. Thanks.
*Edit 2: Does 11.04 better support this deployment? I noticed in earlier pages people were claiming no issues with 9.xx ubuntu but as soon as they upgraded to 10.xx problems started.
Last edited by glacebeast; June 14th, 2011 at 09:29 AM.
My mail server currently can't make any folders. It is only creating the inbox. If I try to create a folder remotely I get an error, and if I try to e-mail I get an error saying something along the lines of, "Could not create sendmail folder." Has anyone experienced this? Can someone help me with this? Thanks.
Bump.
I've also run into the CRAM problem mentioned above when setting up SASL/TLS on an Ubuntu 10.04 machine (64 bit). Is there a current best recommendation to work around this problem? Is SASL actually necessary when TLS is required for all connections? There is a strong desire to use an Ubuntu LTS release when setting up a mail server, but has anyone checked yet to see if this problem persists with Ubuntu 11.04?
I just disabled CRAM-MD5 in the courier-imap config and all seems to be running smooth; whether or not that is a smart solution, I can't really answer that. I do have a webmail client running and this is the only way I could make it work, but the data isn't sensitive and as long as the passwords aren't transmitted in plaintext I'm ok with it.I've also run into the CRAM problem mentioned above when setting up SASL/TLS on an Ubuntu 10.04 machine (64 bit). Is there a current best recommendation to work around this problem?
I was thinking the same thing; per my understanding, SASL is just another layer of protection... a compliment if you will. Most of us are paranoid enough to probably want maximum security though, lol.Is SASL actually necessary when TLS is required for all connections?
My thoughts exactly. I haven't cause I run a completely headless server sans an ethernet connection, so upgrading is a bit of a hassle. However, if it would enable a ramp up in security I'd almost definitely do it.There is a strong desire to use an Ubuntu LTS release when setting up a mail server, but has anyone checked yet to see if this problem persists with Ubuntu 11.04?
With that said, my knowledge of all of this is probably amateur at best compared to some of those lurking out there, and I was hoping we could suck some of those folk in here to answer some of these concerns.
It would be useful if you started your guide with :
Then through out the document useCustomise the editor you want
Code:export $EDITOR=nano
instead of assuming people want to use vi...Code:$EDITOR something something something
vi makes me rage HARD. I want to kill kittens when i use it.
Fear is the mindkiller....
The little death that obliterates...
SO valuable information .i also searching for these valuable informations.
I followed your instructions on the tutorial however when I want to send an email not from the server (using an email client) I get rejected:
Jun 30 00:54:30 servername postfix/smtpd[32289]: NOQUEUE: reject: RCPT from --.kava.lt[my-ip]: 554 5.7.1 <--@gmail.com>: Relay access denied; from=<karolis@--.ie> to=<--@gmail.com> proto=ESMTP helo=<[server-ip]>What should be changed so that sending email via client would be possible? Not only for me but for registered users in the databaseCode:# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = --.ie alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = --.ie mydestination = relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host local_recipient_maps = # how long if undelivered before sending warning update to sender delay_warning_time = 4h # will it be a permanent error or temporary unknown_local_recipient_reject_code = 450 # how long to keep message on queue before return as failed. # some have 3 days, I have 16 days as I am backup server for some people # whom go on holiday with their server switched off. maximal_queue_lifetime = 7d # max and min time in seconds between retries if connection failed minimal_backoff_time = 1000s maximal_backoff_time = 8000s # how long to wait when servers connect before receiving rest of data smtp_helo_timeout = 60s # how many address can be used in one message. # effective stopper to mass spammers, accidental copy in whole address list # but may restrict intentional mail shots. smtpd_recipient_limit = 16 # how many error before back off. smtpd_soft_error_limit = 3 # how many max errors before blocking it. smtpd_hard_error_limit = 12 # Requirements for the HELO statement smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit # Requirements for the sender details smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit # Requirements for the connecting server smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org # Requirement for the recipient address smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, perm$ smtpd_data_restrictions = reject_unauth_pipelining # require proper helo at connections smtpd_helo_required = yes # waste spammers time before rejecting them smtpd_delay_reject = yes disable_vrfy_command = yes # not sure of the difference of the next two # but they are needed for local aliasing alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases # this specifies where the virtual mailbox folders will be located virtual_mailbox_base = /var/spool/mail/virtual # this is for the mailbox location for each user virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf # and this is for aliases virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf # and this is for domain lookups virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf # this is how to connect to the domains (all virtual, but the option is there) # not used yet # transport_maps = mysql:/etc/postfix/mysql_transport.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:5000
Bookmarks