5 Cups of Ubuntu
gidden2,
I can send mail from RoundCube (have not tried SquirrelMail), but not from Thunderbird and I see the same in my mail.log and auth.log as you describe.
May I ask what you have set the parameter "IMAP_CAPABILITY" to in /etc/courier/imapd? Mine is set to:
/MatsCode:IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
First Cup of Ubuntu
hi m_gustafsson,
I added full /etc/courier/imapd to my previous post. In that parameter I have this :
Code:IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"
5 Cups of Ubuntu
gidden2,
I think I got it working on my end now and I can now send emails from both Thunderbird and my iPad via my own server.
I started out by changing my outgoing server in Thunderbird to the local IP of my mail server and tried different combinations of ports etc. When that was working I switched back to the real domain name of my server and then it just worked. Don't know if you have the same problem as I had, and if the client settings are your problem as well.
Anyway, I ended up with the following settings in Thunderbird.
IMAP server
Port: 993
Connection security: SSL/TLS
Authentication method: Normal password
SMTP server
Port: 465
Connection security: SSL/TLS
Authentication method: Normal password
I can hardly believe that it is actually working now, after weeks of work, so I guess that it will not work when I wake up tomorrow
/Mats
First Cup of Ubuntu
Hi there!
First of all I want to express my thanks and respect to the people that provide such great source of information and share knowledge. Kudos to flurdy! I have the set up running since 2 years perfectly.
Just recently I came across the 8 character limitation due to the encrypt() I guess. Now I want to change to stronger passwords but am not really sure what to do. I tried just to use md5() in the sql to encrypt differently but it does not seem to work in the backend (I see that the password is encrypted differently in the db though).
has anyone some hints for me? I have the super standard setup as per flurdys guide.
Thanks a lot!
David
First Cup of Ubuntu
Thanks for this great tutorial: http://flurdy.com/docs/postfix/
That was a big help.
Only two little things, I stumbled on when going through step by step, starting off with Bitnami Tomcat/MySQL AMI:
- "sudo adduser clamav amavis" you should not try to create the clamav user before clamAV is installed, else installation of clamAV will break. So move this one down to clamAV procedure.
- Amavis: "content_filter = amavis:[127.0.0.1]:10024" should be 10025 (or also 10024 in the master.cf)
First Cup of Ubuntu
Thanks for this great tutorial: http://flurdy.com/docs/postfix/
That really appreciate.
I want to ask one question. I configured all configuration and testing them step by step. When i configure SASL, that's working. I can send mail and recieve mail too and i can enter too my roundcube webmail. Then next i configure TLS. I can't enter to my roundcube using my client user and password. ROundcube says "connection to imap server failed" That is my log file
/var/log/mail.log
email imapd: Connection, ip=[::ffff:192.168.30.30]
email imapd: LOGOUT, ip=[::ffff:192.168.30.30], rcvd=14, sent=353
First Cup of Ubuntu
Here's my netstat and iptable status
root@email:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:submission *:* LISTEN 1966/master
tcp 0 0 localhost:spamd *:* LISTEN 1316/spamd.pid
tcp 0 0 *:http *:* LISTEN 2051/apache2
tcp 0 0 *:ssmtp *:* LISTEN 1966/master
tcp 0 0 *:ssh *:* LISTEN 651/sshd
tcp 0 0 *:smtp *:* LISTEN 1966/master
tcp 0 0 localhost:10023 *:* LISTEN 1301/postgrey.pid -
tcp 0 0 localhost:10024 *:* LISTEN 1279/amavisd (maste
tcp 0 0 localhost:10025 *:* LISTEN 1966/master
tcp 0 0 localhost:mysql *:* LISTEN 1093/mysqld
tcp 0 52 192.168.30.30:ssh 192.168.30.31:54957 ESTABLISHED 2087/sshd: test [pr
tcp6 0 0 [::]:submission [::]:* LISTEN 1966/master
tcp6 0 0 [::]:imap2 [::]:* LISTEN 1834/couriertcpd
tcp6 0 0 [::]:ssmtp [::]:* LISTEN 1966/master
tcp6 0 0 [::]:ssh [::]:* LISTEN 651/sshd
tcp6 0 0 [::]:smtp [::]:* LISTEN 1966/master
tcp6 0 0 [::]:imaps [::]:* LISTEN 1862/couriertcpd
root@email:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
net2fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:INPUT:REJECT:"
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:OUTPUT:REJECT:"
reject all -- anywhere anywhere [goto]
Chain Broadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
DROP all -- anywhere base-address.mcast.net/4
Chain Drop (1 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
Invalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
NotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Invalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
Chain NotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN
Chain Reject (3 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
Invalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
NotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dynamic (3 references)
target prot opt source destination
Chain eth0_fwd (0 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
smurfs all -- anywhere anywhere ctstate INVALID,NEW
tcpflags tcp -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix "Shorewall:logflagsROP:"
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
smurfs all -- anywhere anywhere ctstate INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* SSH */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp /* SMTP */
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp /* SMTPS */
ACCEPT tcp -- anywhere anywhere tcp dpt:submission /* Submission */
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 /* IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps /* IMAPS */
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* Web */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* Web */
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:net2fw
DROP all -- anywhere anywhere
Chain reject (10 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurflog (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:smurfs
DROP all -- anywhere anywhere
Chain smurfs (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0 anywhere
smurflog all -- anywhere anywhere [goto] ADDRTYPE match src-type BROADCAST
smurflog all -- base-address.mcast.net/4 anywhere [goto]
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcpflags: SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcpflags: FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp spt:0flags: FIN,SYN,RST,ACK/SYN
First Cup of Ubuntu
I got thunderbird working with this settings too, but how can i get rid of the "normal password" authentication method? I strictly followed the tutorial and got the impression that it would allow me to use encrypted autentication, like CRAM-MD5 instead of "normal password". Is this assumtion correct or did i misunderstood and "normal password" is the way to go?Originally Posted by m_gustafsson
gidden2,
I think I got it working on my end now and I can now send emails from both Thunderbird and my iPad via my own server.
I started out by changing my outgoing server in Thunderbird to the local IP of my mail server and tried different combinations of ports etc. When that was working I switched back to the real domain name of my server and then it just worked. Don't know if you have the same problem as I had, and if the client settings are your problem as well.
Anyway, I ended up with the following settings in Thunderbird.
IMAP server
Port: 993
Connection security: SSL/TLS
Authentication method: Normal password
SMTP server
Port: 465
Connection security: SSL/TLS
Authentication method: Normal password
I can hardly believe that it is actually working now, after weeks of work, so I guess that it will not work when I wake up tomorrow
/Mats
If it should allow to use encrypted authentication, what are the parts in the tutorial i should take a closer look?
Btw. i added CRAM-MD5 to the imap_capability in the /etc/courier/imapd.
I tried roundcube and even here i can only use "LOGIN" as authentication method, but the roundcube detects that there should be CRAM-MP5 availabe (probably because it is enabled in courier) but resulting in "login failed".
I even looked in the courier documentation and it says that CRAM-MD5 authentication only works with plain passwords in the database, but if i understand correctly whats described in the tutorial that there is a workaround using SASL and PAM, i did whats described in the tutorial but either i made a mistake or it did not work.
Can someone help me?
Spilled the Beans
First, thanks _a lot_ for the guide, I followed it and it worked nearly flawlessly. I only had issues with SASL and Roundcube playing nice together (over TLS), which seems to be the main headache anyways
Maybe it's because the guide does non-TLS config first and then specifies changes to have a TLS config but since the final configuration states that the smtps/submission listener should restrict to sasl authenticated (logical) and does not allow unauthenticated local webclients by default I had to change a couple of things.
Of course, I could have just added
toCode:permit_mynetworksin /etc/postfix/master.cf for both smtps and submission, but it would not have been as clean.Code:-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
Instead, I first changed the submission to launch in chroot, since the guide does not have it chrooted. Plus submission on port 587 is much newer than smtps on port 465 and should be used for Roundcube.
In /etc/postfix/master.cf use the following line (remove the second 'n' from the guide).
Then make sure that in /etc/default/saslauthd you follow the guide (The different path for the socket are described just above in the same file):Code:submission inet n - - - - smtpd
Then Roundcube needs to be modified in order to use submission on the correct port, and this is the big difference : authenticate itself.Code:OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
So in main.inc.php (whatever your location is, if you're using Ubuntu 12.04 LTS and do not want the old 0.7.x version, you can just use a manual installation following Roundcube's own guide and point your webserver to it).
- You must use tls:// for port 587 and ssl:// for port 465 since they are different protocols and won't work interchangeably.Code:$rcmail_config['smtp_server'] = 'tls://localhost'; $rcmail_config['smtp_port'] = 587; $rcmail_config['smtp_user'] = '%u'; $rcmail_config['smtp_pass'] = '%p'; $rcmail_config['smtp_auth_type'] = 'LOGIN';
- You must tell Roundcube to give login/pw info to the smtp server, otherwise it will not be authenticated and since you only allow sasl authenticated clients, it will fail.
- The only method that worked for me was "LOGIN", using CRAM-MD5 or MD5-DIGEST had the pam authentication fail (I guess maybe because it's stored in the DB as a crypt token derived directly from a plaintext and not from an MD5 digest but I might be wrong). Eventhough this is not the most secure login type since it's basically plaintext/base64, it goes through TLS (if you force submission TLS only as described in the guide) and therefore shouldn't be that much of an issue.
If anyone has a way to get any of the digest method to work, please do reply.
Also things to consider that weren't mentionned in the guide :
- Make sure /etc/pam.d/smtp is empty from anything else than what the guide mentions.
- You can test SASL with testsaslauthd command such as
and see what goes on in sasl (/var/log/mail.log), the pam.d (/var/log/auth.log) module and mysql (/var/log/mysql/mysql.log) database getting hit with the SELECT query.Code:testsaslauthd testsaslauthd -r <DOMAIN> -u <USER_WITHOUT_@DOMAIN> -p '<CLEARTEXT_PASSWORD>' -f /var/spool/postfix/var/run/saslauthd/mux -s smtp
- Some options that are worth considering since they help a lot debugging postfix :
One last thing concerning the guide, at one point the term 'apassword' is used for both the mail users themselves (when generating the encrypt/salted string) and the database user for the maildb (virtual hosts files etc.), it could become a bit confusing.Code:debug_peer_list=<IP_OF_PEER_TO_DEBUG> debug_peer_level=3
First Cup of Ubuntu
@tehownt
hey, could you please check if your post is related to my question i posted right above it? I am not sure if i understand what you wrote but it seems related to me. Does it solve my problem?
Posting Permissions
Adv Reply
Bookmarks