dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
57

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano to graysonf

MVM

to graysonf

Re: Postfix and Port 25

graysonf See Profile I agree with your assessment, however I feel that we also need to educate OP that the solution sought will almost certainly lead to undelivered mail.
Most of the servers require authentication on 587 and 'generic' mail needs to be delivered to 25. To cover specific cases to go through default hop & port there's relayhost:port or recipient maps.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 edit

jimkyle

Premium Member

said by Brano:

graysonf See Profile I agree with your assessment, however I feel that we also need to educate OP that the solution sought will almost certainly lead to undelivered mail.
Most of the servers require authentication on 587 and 'generic' mail needs to be delivered to 25. To cover specific cases to go through default hop & port there's relayhost:port or recipient maps.

I'm aware of the undelivered mail possibilities, and can live with them. I check my logs via logwatch each day (that was my original reason for setting up the postfix server: to have sendmail capability for logwatch to use and send mail out to my main off-site server) and follow up all anomalies.

Many thanks to all who have responded. I have a gmail account that can probably be used as a relay host, in addition to the AT&T account and its 10 subaccounts which are automatic with their service. I make essentially no use of the AT&T account since it goes through Yahoo and is usually quite flaky, but will give the gmail account a try once I determine how to make postfix authenticate to it automagically... Suggestions for doing this will be enthusiastically welcomed; it's been years since I tried to use the relay host options and I've forgotten all I ever knew about it.

I did find, via google searching, one suggestion to use iptables via a rule in the OUTPUT chain of the nat table that would redirect anything with a dport of 25 over to a dport of 587 -- and it led to some interesting error messages: no matter what IP I attempted to send test messages to, postfix got my own hostname back on the HELO phase of the connection, and errored out as an infinite loop! It turns out (per the man page) that the "jump REDIRECT" action of the rule silently changes the destination IP from that specified to that of the originating interface!!! Thus the suggested solution was completely useless. When I changed the main.cf file back to ignore the "submission" port, the errors went back to the expected "Connection refused."
propcgamer
join:2001-10-10
011010101

propcgamer

Member

said by jimkyle:

but will give the gmail account a try once I determine how to make postfix authenticate to it automagically... Suggestions for doing this will be enthusiastically welcomed;

Do a google search for postfix gmail relay, plenty of good guides

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

1 recommendation

Brano

MVM

Actually, I use gmail as relay too, here's the config

/etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
 

/etc/postfix/sasl_passwd
[smtp.gmail.com]:587    myemail@gmail.com:mypasswd
 

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

Many thanks! Do I need to do anything special other than creating the sasl_passwd file and editing main.cf? Seems I recall having to do a run-once action with a utility to create the hash when setting my aliases...

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

To create map 'postmap /etc/postfix/sasl_passwd' and restart postfix afterwards.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to Brano

MVM

to Brano
I did mention that destination port 587 will fail for some destinations. Maybe you missed that?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Maybe I did

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 edit

jimkyle to Brano

Premium Member

to Brano
I've made those changes and reloaded postfix (perhaps I should have restarted instead) and got this in my mail log:
Nov  9 12:46:54 mehitabel postfix/cleanup[9802]: 43AFB100037: message-id=<20131109184654.43AFB100037@jimkyle.dns2go.com>
Nov  9 12:46:54 mehitabel postfix/qmgr[9797]: 43AFB100037: from=<root@jimkyle.dns2go.com>, size=281, nrcpt=1 (queue active)
Nov  9 12:46:54 mehitabel postfix/smtp[9804]: 43AFB100037: to=<test@jimkyle.com>, relay=smtp.gmail.com[173.194.77.108]:587, delay=12, delays=12/0.1/0.47/0.04, dsn=5.5.1, status=bounced (host smtp.gmail.com[173.194.77.108] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 it7sm15401854obb.11 - gsmtp (in reply to MAIL FROM command))
Nov  9 12:46:55 mehitabel postfix/cleanup[9802]: 0ABBE100038: message-id=<20131109184655.0ABBE100038@jimkyle.dns2go.com>
Nov  9 12:46:55 mehitabel postfix/bounce[9806]: 43AFB100037: sender non-delivery notification: 0ABBE100038
Nov  9 12:46:55 mehitabel postfix/qmgr[9797]: 0ABBE100038: from=<>, size=2410, nrcpt=1 (queue active)
Nov  9 12:46:55 mehitabel postfix/qmgr[9797]: 43AFB100037: removed
 

EDIT: restarted postfix but get the same set of errors...

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

1 edit

leibold

MVM

1.) Did you correctly enter the information in sasl_passwd ?
It is very important that the left-hand side is an *exact* match of the destination as specified in the relayhost directive. It is equally important that email account and password are correct.
2.) Did you do the 'postmap sasl_passwd' before the 'postfix reload' ?
3.) Did you follow the instructions at the google link in the error log to unlock your gmail account ?
If not read the instructions here .
Keep in mind that postfix is your email client in this context.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 edit

jimkyle

Premium Member

Well, I lost my original reply here. I had forgotten the postmap step, and in addition the information in sasl_password was missing the opening bracket. After fixing sasl_password I did the portmap, then restarted postfix, and sent a new text message to myself as before. This time the mail.log's final two entries were the "stop" and "start" reports from the restart; no indication at all that the new test message had been picked up for sending.

I'll try the unlock procedure next, but am wondering why the new test message never made it into the log...

EDIT: FWIW, postqueue -p shows the queue as being empty, so apparently I've managed to bork my postfix configuration somehow!
jimkyle

jimkyle to leibold

Premium Member

to leibold
Did it all, still get this:
Nov  9 13:39:06 mehitabel postfix/cleanup[10797]: 56F43100031: message-id=<20131109193906.56F43100031@jimkyle.dns2go.com>
Nov  9 13:39:06 mehitabel postfix/qmgr[10534]: 56F43100031: from=<root@jimkyle.dns2go.com>, size=285, nrcpt=1 (queue active)
Nov  9 13:39:07 mehitabel postfix/smtp[10799]: 56F43100031: to=<test3@jimkyle.com>, relay=smtp.gmail.com[173.194.64.109]:587, delay=13, delays=13/0.01/0.58/0.05, dsn=5.5.1, status=bounced (host smtp.gmail.com[173.194.64.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 s4sm25520915yhs.14 - gsmtp (in reply to MAIL FROM command))
Nov  9 13:39:07 mehitabel postfix/cleanup[10797]: 406A5100032: message-id=<20131109193907.406A5100032@jimkyle.dns2go.com>
Nov  9 13:39:07 mehitabel postfix/qmgr[10534]: 406A5100032: from=<>, size=2414, nrcpt=1 (queue active)
Nov  9 13:39:07 mehitabel postfix/bounce[10800]: 56F43100031: sender non-delivery notification: 406A5100032
Nov  9 13:39:07 mehitabel postfix/qmgr[10534]: 56F43100031: removed
 
???

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

What version of postfix do you have?
Do you have libsasl2 installed?
Also (if I'm not mistaken) posfix will complain if passwd file is readable by others, do chmod 600 /etc/posfix/sasl_passwd*

Here's my entire main.cf for comparison
myhostname = myserver.mydomain.com
mydestination = myserver, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 192.168.10.1 192.168.10.2
inet_protocols = ipv4
 
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtp_tls_protocols = TLSv1
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
 
smtpd_client_restrictions =
        permit_mynetworks,
        reject
 
smtp_tls_loglevel = 1
 

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

I'll have to study this a bit. I don't have the TLS stuff in main.cf so that may be what I'm doing wrong. I don't run apache at all so probably won't need everything you have, but probably do need more than I have at the moment. I'll pare my main.cf down (removing comments and redacting critical information) and post it a bit later...

Oops... my aged eyes read "apache" instead of "cache" on several lines! Sorry!
jimkyle

jimkyle to Brano

Premium Member

to Brano
Here's my main.cf:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
 
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
myhostname = jimkyle.dns2go.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mehitabel, localhost.localdomain, localhost, jimkyle.dns2go.com
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
sender_canonical_maps = hash:/etc/postfix/sender_canonical
home_mailbox = Maildir/
 
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = 
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
 

The smtp-related lines toward the bottom are the defaults added when I installed dovecot in order to deliver mail to my regular mail client. I believe that the fact that they're working indicates that I do have libsasl2 installed, but am not certain...

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

I'd increase logging level to see what actually is wrong, add
debug_peer_list = smtp.gmail.com
debug_peer_level = 2
 

Also I see you're using dovecot sasl plugin. I use the default cyrus sasl. Check the increased logging first.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

I got more than 300 lines of log data for a single test message, which is a bit much with which to clutter up this forum. What should I be looking for in this mass of exquisite detail?

The first thing I see that looks suspicious is this, starting at line 50:
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: > smtp.gmail.com[173.194.77.109]:587: EHLO jimkyle.dns2go.com
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250-mx.google.com at your service, [162.227.43.138]
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250-SIZE 35882577
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250-8BITMIME
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250-ENHANCEDSTATUSCODES
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 250 CHUNKING
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: server features: 0x100b size 35882577
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: > smtp.gmail.com[173.194.77.109]:587: MAIL FROM:<jim@jimkyle.com> SIZE=329
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 530-5.5.1 Authentication Required. Learn more at
Nov  9 21:49:40 mehitabel postfix/smtp[13577]: < smtp.gmail.com[173.194.77.109]:587: 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 f2sm23542345oes.3 - gsmtp
 

I have no idea where my "jim@jimkyle.com" got into the act; perhaps it's because that's the address to which my pop3 messages from the gmail account are forwarded.

Incidentally, I have no need to redact my mail addresses from posts here, because I run a Btrieve data recovery service through those addresses and they've all been out in the wild for more than a dozen years via my website at www.jimkyle.com.

Think perhaps I should create a totally different gmail account to use as the relay? Or does this fragment provide enough information to give you ideas of what else might be going on?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

It looks like authentication is not working for some reason. Double check your gmail user/password credentials.

Another possibility is that your copy of Postfix wasn't compiled with the sasl and tls stuff included.

What OS are you running it on? Where did the postfix package come from?

Try telnetting to your Postfix box on port 25 and issue an

ehlo example.com

and see what's in the outputted capabilities list.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

To answer the questions in order, the user and password match those which get me into the webmail interface at gmail.com. The postfix server works properly with dovecot, using sasl, but I'm not sure the tls stuff is there. My o/s is Xubuntu 12.04.3 LTS with all updates installed, and the postfix package came from the Ubuntu repositories via Synaptic package manager.

I've found another puzzle in the fragment of debug log that I posted above: the AUTH line received from the gmail.com server doesn't list either SASL or TLS as an authentication method. Shouldn't it? Or is that implied by the other methods they do list? Obviously, I'm not at all familiar with the innards of the protocol although I've been using it for a dozen years. This is the first time I've needed to get this deep into it!

Here's the result of the telnet test:
jk@mehitabel:~$ telnet localhost 25
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Network is unreachable
 

Very strange; "ifconfig -a" shows the "lo" interface up and running.

It's nearing midnight here in OKC so I'll be hitting the hay before much longer. I do appreciate all the help I'm getting here, and intend to stay with it until we find out what's going on. It might even help someone else in the future!
jimkyle

jimkyle to graysonf

Premium Member

to graysonf
I tried the test from another machine on my LAN and it worked. Here's the output:
jk@xubuntu2:~$ telnet mehitabel.mylan 25
Trying 192.168.0.2...
Connected to mehitabel.mylan.
Escape character is '^]'.
220 jimkyle.dns2go.com ESMTP Postfix (Ubuntu)
ehlo example.com
250-jimkyle.dns2go.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
jk@xubuntu2:~$ 
 
Looks like it's advertising TLS capability. Still no indication where gmail is getting "jim@jimkyle.com" from, unless it's looking up my IP in some database at their end. Postfix certainly isn't sending it out so far as I can tell from the debug data.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

In the debug output the lines with "<" show what postfix has received from the peer (gmail in this case) while the lines with ">" are what postfix is sending to the peer.

The command "MAIL" with the "FROM:" header line is sent from postfix to gmail. Presumably whatever mail client you used to generate this email message produced jim@jimkyle.com as the sender address.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

I simply used sendmail to generate the tests; never thought to check its configuration for "sender." However I don't think this is likely to be the root cause of the authentication failure.

I've been reading a couple of the many SASL how-to files and came across several points. First, the AUTH lines in the telnet test don't indicate any SASL capability, only showing PLAIN. Second, one of the how-tos on the postfix site itself says that the dovecot SASL capability does not support using it for what seems to be this case! Only the cyrus type provides the needed capability. If this is the problem, then how can I set up a local pop3 capability without using dovecot?

Seems as if the swamp is breeding alligators faster than we can knock them out!

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Try switching your sasl backend to cyrus and re-do the tests.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to jimkyle

MVM

to jimkyle
said by jimkyle:

Here's the result of the telnet test:

jk@mehitabel:~$ telnet localhost 25
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Network is unreachable
 

Very strange; "ifconfig -a" shows the "lo" interface up and running.

It's not enough that lo is up. Postfix needs to be bound to it also. You probably restricted Postfix from binding to all interfaces, and specified only your ethernet adapter.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

said by graysonf:

You probably restricted Postfix from binding to all interfaces, and specified only your ethernet adapter.

Nope; I have interfaces=all in main.cf. It might be something in my iptables rules however...

Since I can telnet in from the other box in my office I'll leave this problem for the moment and concentrate on getting SASL working (or trying another off-site mail server instead of gmail). Right now the dovecot-vs-cyrus SASL type looks most promising...

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

You should verify how your copy of Postfix was compiled. Many of the options are not in the default configuration and must be enabled at build time. If you refer to such options in your Postfix configuration and the capabilities are not present in the compiled code, you may or may not see errors in the logs.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to jimkyle

MVM

to jimkyle
You can always find every default config option with postconf -d and current option with just postconf.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle to Brano

Premium Member

to Brano
said by Brano:

Try switching your sasl backend to cyrus and re-do the tests.

Did this and the telnet responses did show SASL methods afterward, but the test message log results did not change. The gmail server still says authentication failed just as before.

I've commented out the debug entries from mail.cf while I mull these findings. It looks more and more like a catch-22 situation. Dovecot still does work even though I changed the SASL type to cyrus, but it may still be interfering with things. I'm considering totally removing it and also all its associated lines in main.cf, but that will cripple my daily checks of logwatch by removing the local POP3 delivery capability...

Thanks much for all the help!

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Maybe you can try talking to smtp.gmail.com on port 465, the SSL/TSL port rather than the submission port 587.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to jimkyle

MVM

to jimkyle
Can you post one full log with log level 2 and tls log level 1? ... pretty much same type of log as I posted