I'm going to try setting this up again according to the tutorial to see at what step functionality breaks. Here is my report:
Before starting, I apt-get purge dovecot-core and postfix.
Install Postfix
Code:
apt-get install postfix
Set FQDN to navolta.com and "Internet Site". Reported warning "newaliases: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol", but no errors. Similar repeated warnings for postalias, postmulti, and postfix immediately following.
Also reported warnings:
Code:
Processing triggers for ufw (0.34~rc-0ubuntu2) ...
WARN: Duplicate profile 'Apache', using last found
WARN: Duplicate profile 'Apache Secure', using last found
WARN: Duplicate profile 'Apache Full', using last found
Checking functionality:
Code:
telnet navolta.com 25
Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 saikoled ESMTP Postfix (Ubuntu)
ehlo navolta.com
250-saikoled
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
dpkg-reconfigure
Code:
dpkg-reconfigure postfix
Options:
- System Mail name: navolta.com
- Root and postmaster mail recipient: user account name
- Other destinations to accept mail for: navolta.com, localhost.localdomain, localhost
- Force synchronous updates on mail queue?: No
- Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24 (Note: this is based on the comment in the tutorial that says to replace "192.168.0.0/24 with the actual network and class range of your mail server")
- Mailbox size limit: 0
- Local address extension character: +
- Internet protocols to use: ipv4 (changing to this eliminates the ipv6 warnings above).
After this, output from telnet navolta.com 25 and ehlo navolta.com is unchanged.
SMTP Configuration
First I followed the instructions for creating certificates using the certificate tutorial which puts self-signed certificates into
Code:
/etc/ssl/certs/server.crt
/etc/ssl/private/server.key
Next, I follow the SMTP Authentication section of the tutorial. First it says to configure the following.
Code:
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
and then it says to continue with the following, adjusted for my server.
Code:
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = navolta.com'
At this point, the /etc/postfix.main.cf file looks like this:
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = navolta.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = navolta.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 184.106.238.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
which is significantly different than what the tutorial says it should be, but I chalk it up to slight version differences.
At this stage, connecting to the server via telnet navolta.com 25 causes the error seen before regarding the connection being established and then nearly immediately closing with no log messages.
Comparing the instructions in the 14.04 Mail Server Guide to the Community Guide to Postfix has some differences. For one, the official guide clearly has a typo on the smtpd_recipient_restrictions line, the backslash is not allowed in that command.
In particular, the official guide has the following commands missing from the community guide for the first set of commands:
Code:
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
while the community guide has the added line
Code:
sudo postconf -e 'inet_interfaces = all'
with the explanation that the prior is to authenticate using SASL while the latter authenticates using Dovecot SASL.
The community guide then also instructs to edit /etc/postfix/sasl/smtpd.conf and add:
Code:
pwcheck_method: saslauthd
mech_list: plain login
which in the official guide instead says to only set the mech_list in
Code:
/etc/dovecot/conf.d/10-auth.conf
.
The community guide also instructs to generate certificates for smtpd specifically, whereas the official documentation only mentions the main certificates:
Code:
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
The community guide instructions for the second set of commands is slightly changed from the official instructions, with the added lines:
Code:
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
for which I assume the three certificate path changes are due to the production of the extra certificates.
In the interest of confirming the error, I removed these two lines from main.cf
Code:
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
I created the file /etc/postfix/sasl/smtpd.conf to have:
Code:
pwcheck_method: saslauthd
mech_list: plain login
and I made the permissions on the certificates root:website instead of root:root while removing o-r privileges to match the snakeoil certificate in the directory. I also added
Code:
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
to match my CA certificate, which wasn't included before. I also ran
Code:
sudo service saslauthd start
to ensure that saslauthd was actually running.
After doing these changes, the server works again with telnet, showing:
Code:
telnet navolta.com 25
Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 navolta.com ESMTP Postfix (Ubuntu)
ehlo navolta.com
250-navolta.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
but I do not understand entirely why. It could have been the change in authentication service, or the change in permissions on the certificates. To narrow this down, I stopped the saslauthd service and verified that the telnet command still works. I next reset the ownership on the /etc/ssl/private/server.key and /etc/ssl/certs/server.crt to root:root and the telnet command still works.
Next, I re-executed the command:
Code:
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
and now when I run the telnet check, it gives me:
Code:
telnet navolta.com 25Trying 184.106.238.45...
Connected to saikoled.
Escape character is '^]'.
220 navolta.com ESMTP Postfix (Ubuntu)
500 5.5.2 Error: bad syntax
ehlo navolta.com
250-navolta.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
which is a slight change in that it now appears to allow additional authentication methods.
Finally, adding back in the command
Code:
sudo postconf -e 'smtpd_sasl_type = dovecot'
finally breaks the server. Now when I telnet back in I see the server disconnect.
So, I think I can guess with fair certainty that the issue is the "smtpd_sasl_type = dovecot" directive.
Upon reviewing the postfix documentation, I typed postconf -a to ensure that dovecot SASL is supported in the version of postfix I am using. It appears to be supported. I also noted in the documentation that dovecot SASL needs to be installed, which it possibly isn't. I ran
Code:
apt-get install dovecot-core
to install dovecot. I note that this is different from the official guide which says I need to install dovecot-common. apt-get installed dovecot-core instead, so I assume this is a drop in replacement but this could be incorrect. An apt-cache search did not show any other obvious packages that look like a separated out SASL package.
At this point, I'm not entirely sure what the issue is, but it seems to involve the use of dovecot SASL. More information than this I am not sure how to collect.
Bookmarks