Re: Fwd: Re: [gentoo-security] postfix and SASL - gentoo-security

From:	Joerg Mertin <smurphy@××××××.org>
To:	gentoo-security@l.g.o
Subject:	Re: Fwd: Re: [gentoo-security] postfix and SASL
Date:	Wed, 05 Oct 2005 13:46:43
Message-Id:	`36189.80.146.243.75.1128519477.squirrel@stargate.solsys.org`
In Reply to:	Fwd: Re: [gentoo-security] postfix and SASL by Joe Strusz

1

I bet it has something to do with your sasl configuration.

2

Had that back in time too... Check it is working.

3

I have linked the saslauth to pam/ldap - so I can have local and remote

4

users going in... Took me some time to figure this out.

5

It's too long ago for me to remember details - but that's where I would

6

look if I were you...

7

Check your logs mail/sytem and auth for hints.

8

9

Cheers

10

11

Joerg

12

13

<quote who="Joe Strusz">

14

> OK, well i disabled the smtpd_tl_auth_only line.

15

>

16

> And now whenever i try to connect via say outlook express on a client

17

> machine...

18

>

19

> I check the box that says, "my outgoing server requires

20

> authentication", and i do get the password prompt, however whichever

21

> login/password i try to use it gets rejected, over and over and over

22

> again...

23

>

24

>

25

> any suggestions?

26

>

27

>>X-Original-To: jstrusz@×××××.com

28

>>Delivered-To: jstrusz@×××××.com

29

>>Delivered-To: <gentoo-security@l.g.o>

30

>>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST)

31

>>Subject: Re: [gentoo-security] postfix and SASL

32

>>From: "Joerg Mertin" <smurphy@××××××.org>

33

>>To: gentoo-security@l.g.o

34

>>User-Agent: SquirrelMail/1.4.4

35

>>List-Post: <mailto:gentoo-security@l.g.o>

36

>>List-Help: <mailto:gentoo-security+help@g.o>

37

>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>

38

>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>

39

>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

40

>>X-BeenThere: gentoo-security@g.o

41

>>Reply-To: gentoo-security@l.g.o

42

>>X-Virus-Scanned: ClamAV scanned @ Stargate

43

>>X-MIME-Autoconverted: from quoted-printable to 8bit by

44

>>robin.gentoo.org id j95D76GO003964

45

>>X-Virus-Scanned: This message was scanned for viruses by ClamAV.

46

>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5

47

>> tests=BAYES_00

48

>>X-Spam-Level:

49

>>

50

>>OK - as this seem to be quite difficutl for many - here my configuration

51

>>of postfix - TLS and SASL parts only:

52

>>

53

>>## TLS

54

>>#  Transport Layer Security

55

>>#

56

>>smtpd_use_tls = yes

57

>>smtpd_tls_auth_only = yes

58

>>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key

59

>>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt

60

>>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem

61

>>smtpd_tls_loglevel = 3

62

>>smtpd_tls_received_header = yes

63

>>smtpd_tls_session_cache_timeout = 3600s

64

>>tls_random_source = dev:/dev/urandom

65

>>

66

>># SASL SUPPORT FOR CLIENTS

67

>>#

68

>># The following options set parameters needed by Postfix to enable

69

>># Cyrus-SASL support for authentication of mail clients.

70

>>#

71

>>broken_sasl_auth_clients = yes

72

>>smtpd_sasl_auth_enable = yes

73

>>smtpd_sasl_security_options = noanonymous

74

>>smtpd_data_restrictions = reject_unauth_pipelining

75

>>smtpd_sasl_local_domain =

76

>>

77

>>

78

>>This setup works here for 2 Years ...

79

>>Cheers

80

>>

81

>>Joerg

82

>>

83

>>

84

>><quote who="Joe Strusz">

85

>> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i

86

>> receive

87

>> > this:

88

>> >

89

>> > 538: Encryption required for requested authentication mechanism.

90

>> >

91

>> > What does this mean?

92

>> >

93

>> > I could really use some help on this... its been bugging me for weeks

94

>> now.

95

>> >

96

>> > Also, I do have smtpd_tls_auth_only = yes line

97

>> >

98

>> >

99

>> > Please help

100

>> >

101

>> > blargh.

102

>> >

103

>> > Your fellow befumbled gentoo user.

104

>> >

105

>> >

106

>> >

107

>> >>X-Original-To: jstrusz@×××××.com

108

>> >>Delivered-To: jstrusz@×××××.com

109

>> >>Delivered-To: <gentoo-security@l.g.o>

110

>> >>Date: Wed, 05 Oct 2005 12:36:01 +0100

111

>> >>From: Jonathan Wright <mail@×××××××××.uk>

112

>> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)

113

>> >>X-Accept-Language: en-us, en

114

>> >>List-Post: <mailto:gentoo-security@l.g.o>

115

>> >>List-Help: <mailto:gentoo-security+help@g.o>

116

>> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>

117

>> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>

118

>> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>

119

>> >>X-BeenThere: gentoo-security@g.o

120

>> >>Reply-To: gentoo-security@l.g.o

121

>> >>To: gentoo-security@l.g.o

122

>> >>Subject: Re: [gentoo-security] postfix and SASL

123

>> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV.

124

>> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5

125

>> >> tests=BAYES_00

126

>> >>X-Spam-Level:

127

>> >>

128

>> >>Benjamin A'Lee wrote:

129

>> >>>>Not sure but: why on port 25 and not on 465 ?

130

>> >>>I don't think it actually matters which port; IIRC it just enables

131

>> >>>STARTTLS by default on 465.

132

>> >>

133

>> >>Port 465 is for SSL (i.e. secure communication before any

134

>> >>application data is transferred) and Port 25 accepts TLS (where the

135

>> >>data is secured once both parties accept, however, application data

136

>> >>transfer has occurred).

137

>> >>

138

>> >>Anyway, with telnet you can't talk on port 465 :)

139

>> >>

140

>> >> > I have confirmed postfix is indeed compiled with SASL support.  And

141

>> i

142

>> >> > have TLS working great.  However when i telnet to port 25 and issue

143

>> >> the

144

>> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN

145

>> >> > lines...

146

>> >>

147

>> >>Depending on the configuration, AUTH PLAIN can either be disabled,

148

>> >>or more likely, it's only send should STARTTLS be issued. I have the

149

>> >>following lines in my main.cf:

150

>> >>

151

>> >>-- cut -----------------------------------------

152

>> >># SMTPD SERVER CONTROLS

153

>> >>smtpd_sasl_auth_enable = yes

154

>> >>smtpd_sasl_security_options = noanonymous, noplaintext

155

>> >>broken_sasl_auth_clients = yes

156

>> >>smtpd_sasl_local_domain =

157

>> >>smtpd_recipient_restrictions = permit_sasl_authenticated,

158

>> >>permit_mynetworks, reject_unauth_destination

159

>> >>

160

>> >>smtpd_use_tls = yes

161

>> >>smtpd_tls_auth_only = yes

162

>> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key

163

>> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem

164

>> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem

165

>> >>smtpd_tls_loglevel = 1

166

>> >>smtpd_tls_received_header = yes

167

>> >>smtpd_tls_session_cache_timeout = 3600s

168

>> >>tls_random_source = dev:/dev/urandom

169

>> >>-- cut -----------------------------------------

170

>> >>

171

>> >>TLS is enabled, but smtpd_tls_auth_only will only permit

172

>> >>authorization from clients who have issued (and successfully

173

>> >>negotiated) the STARTTLS comment.

174

>> >>

175

>> >>Also, you can define what methods Postfix accepts by modifying the

176

>> >>smtp_sasl_security_options directive.

177

>> >>

178

>> >>HTH,

179

>> >>

180

>> >>--

181

>> >>  Jonathan Wright                           ~ mail at djnauk.co.uk

182

>> >>                                            ~ www.djnauk.co.uk

183

>> >>--

184

>> >>  2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+

185

>> >>  up 5 days,  3:02,  4 users,  load average: 0.72, 0.97, 0.71

186

>> >>--

187

>> >>  "I don't mind straight  people  as  long  as  they  act  gay  in

188

>> >>  public."

189

>> >>

190

>> >>              ~ T-shirt worn by Dennis Rodman of the Chicago Bulls

191

>> >>--

192

>> >>gentoo-security@g.o mailing list

193

>> >

194

>> >

195

>> > Joe Strusz

196

>> >

197

>> > IT Assistant

198

>> > Oxford Publishing, Inc.

199

>> > 307 West Jackson Avenue

200

>> > Oxford, MS 38655-2154

201

>> > 800-247-3881

202

>> > 662-236-5510x40

203

>> > jstrusz@×××××.com

204

>> > http://www.nightclub.com

205

>> >

206

>> >

207

>> > --

208

>> > gentoo-security@g.o mailing list

209

>> >

210

>> >

211

>>

212

>>

213

>>--

214

>>------------------------------------------------------------------------

215

>>| Joerg Mertin              :  smurphy@××××××.org                (Home)|

216

>>| in Forchheim/Germany      :  smurphy@×××××.de                  (Alt1)|

217

>>| Stardust's LiNUX System   :                                          |

218

>>| Web: http://www.solsys.org                                           |

219

>>------------------------------------------------------------------------

220

>>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

221

>>

222

>>

223

>>

224

>>--

225

>>gentoo-security@g.o mailing list

226

>

227

>

228

> Joe Strusz

229

>

230

> IT Assistant

231

> Oxford Publishing, Inc.

232

> 307 West Jackson Avenue

233

> Oxford, MS 38655-2154

234

> 800-247-3881

235

> 662-236-5510x40

236

> jstrusz@×××××.com

237

> http://www.nightclub.com

238

>

239

>

240

> --

241

> gentoo-security@g.o mailing list

242

>

243

>

244

245

246

--

247

------------------------------------------------------------------------

248

| Joerg Mertin              :  smurphy@××××××.org                (Home)|

249

| in Forchheim/Germany      :  smurphy@×××××.de                  (Alt1)|

250

| Stardust's LiNUX System   :                                          |

251

| Web: http://www.solsys.org                                           |

252

------------------------------------------------------------------------

253

PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

--

258

gentoo-security@g.o mailing list

1	I bet it has something to do with your sasl configuration.
2	Had that back in time too... Check it is working.
3	I have linked the saslauth to pam/ldap - so I can have local and remote
4	users going in... Took me some time to figure this out.
5	It's too long ago for me to remember details - but that's where I would
6	look if I were you...
7	Check your logs mail/sytem and auth for hints.
8
9	Cheers
10
11	Joerg
12
13	<quote who="Joe Strusz">
14	> OK, well i disabled the smtpd_tl_auth_only line.
15	>
16	> And now whenever i try to connect via say outlook express on a client
17	> machine...
18	>
19	> I check the box that says, "my outgoing server requires
20	> authentication", and i do get the password prompt, however whichever
21	> login/password i try to use it gets rejected, over and over and over
22	> again...
23	>
24	>
25	> any suggestions?
26	>
27	>>X-Original-To: jstrusz@×××××.com
28	>>Delivered-To: jstrusz@×××××.com
29	>>Delivered-To: <gentoo-security@l.g.o>
30	>>Date: Wed, 5 Oct 2005 15:15:22 +0200 (CEST)
31	>>Subject: Re: [gentoo-security] postfix and SASL
32	>>From: "Joerg Mertin" <smurphy@××××××.org>
33	>>To: gentoo-security@l.g.o
34	>>User-Agent: SquirrelMail/1.4.4
35	>>List-Post: <mailto:gentoo-security@l.g.o>
36	>>List-Help: <mailto:gentoo-security+help@g.o>
37	>>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>
38	>>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>
39	>>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
40	>>X-BeenThere: gentoo-security@g.o
41	>>Reply-To: gentoo-security@l.g.o
42	>>X-Virus-Scanned: ClamAV scanned @ Stargate
43	>>X-MIME-Autoconverted: from quoted-printable to 8bit by
44	>>robin.gentoo.org id j95D76GO003964
45	>>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
46	>>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5
47	>> tests=BAYES_00
48	>>X-Spam-Level:
49	>>
50	>>OK - as this seem to be quite difficutl for many - here my configuration
51	>>of postfix - TLS and SASL parts only:
52	>>
53	>>## TLS
54	>># Transport Layer Security
55	>>#
56	>>smtpd_use_tls = yes
57	>>smtpd_tls_auth_only = yes
58	>>smtpd_tls_key_file = /etc/ssl/postfix/stargate.solsys.org.key
59	>>smtpd_tls_cert_file = /etc/ssl/postfix/stargate.solsys.org.crt
60	>>smtpd_tls_CAfile = /etc/ssl/postfix/stargate.solsys.org.pem
61	>>smtpd_tls_loglevel = 3
62	>>smtpd_tls_received_header = yes
63	>>smtpd_tls_session_cache_timeout = 3600s
64	>>tls_random_source = dev:/dev/urandom
65	>>
66	>># SASL SUPPORT FOR CLIENTS
67	>>#
68	>># The following options set parameters needed by Postfix to enable
69	>># Cyrus-SASL support for authentication of mail clients.
70	>>#
71	>>broken_sasl_auth_clients = yes
72	>>smtpd_sasl_auth_enable = yes
73	>>smtpd_sasl_security_options = noanonymous
74	>>smtpd_data_restrictions = reject_unauth_pipelining
75	>>smtpd_sasl_local_domain =
76	>>
77	>>
78	>>This setup works here for 2 Years ...
79	>>Cheers
80	>>
81	>>Joerg
82	>>
83	>>
84	>><quote who="Joe Strusz">
85	>> > Whenever i telnet to port 25, and issue the AUTH PLAIN command i
86	>> receive
87	>> > this:
88	>> >
89	>> > 538: Encryption required for requested authentication mechanism.
90	>> >
91	>> > What does this mean?
92	>> >
93	>> > I could really use some help on this... its been bugging me for weeks
94	>> now.
95	>> >
96	>> > Also, I do have smtpd_tls_auth_only = yes line
97	>> >
98	>> >
99	>> > Please help
100	>> >
101	>> > blargh.
102	>> >
103	>> > Your fellow befumbled gentoo user.
104	>> >
105	>> >
106	>> >
107	>> >>X-Original-To: jstrusz@×××××.com
108	>> >>Delivered-To: jstrusz@×××××.com
109	>> >>Delivered-To: <gentoo-security@l.g.o>
110	>> >>Date: Wed, 05 Oct 2005 12:36:01 +0100
111	>> >>From: Jonathan Wright <mail@×××××××××.uk>
112	>> >>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050822)
113	>> >>X-Accept-Language: en-us, en
114	>> >>List-Post: <mailto:gentoo-security@l.g.o>
115	>> >>List-Help: <mailto:gentoo-security+help@g.o>
116	>> >>List-Unsubscribe: <mailto:gentoo-security+unsubscribe@g.o>
117	>> >>List-Subscribe: <mailto:gentoo-security+subscribe@g.o>
118	>> >>List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
119	>> >>X-BeenThere: gentoo-security@g.o
120	>> >>Reply-To: gentoo-security@l.g.o
121	>> >>To: gentoo-security@l.g.o
122	>> >>Subject: Re: [gentoo-security] postfix and SASL
123	>> >>X-Virus-Scanned: This message was scanned for viruses by ClamAV.
124	>> >>X-Spam-Status: No, hits=-2.599 tagged_above=-100 required=6.5
125	>> >> tests=BAYES_00
126	>> >>X-Spam-Level:
127	>> >>
128	>> >>Benjamin A'Lee wrote:
129	>> >>>>Not sure but: why on port 25 and not on 465 ?
130	>> >>>I don't think it actually matters which port; IIRC it just enables
131	>> >>>STARTTLS by default on 465.
132	>> >>
133	>> >>Port 465 is for SSL (i.e. secure communication before any
134	>> >>application data is transferred) and Port 25 accepts TLS (where the
135	>> >>data is secured once both parties accept, however, application data
136	>> >>transfer has occurred).
137	>> >>
138	>> >>Anyway, with telnet you can't talk on port 465 :)
139	>> >>
140	>> >> > I have confirmed postfix is indeed compiled with SASL support. And
141	>> i
142	>> >> > have TLS working great. However when i telnet to port 25 and issue
143	>> >> the
144	>> >> > ehlo command, i do receive the starttls etc... yet no AUTH PLAIN
145	>> >> > lines...
146	>> >>
147	>> >>Depending on the configuration, AUTH PLAIN can either be disabled,
148	>> >>or more likely, it's only send should STARTTLS be issued. I have the
149	>> >>following lines in my main.cf:
150	>> >>
151	>> >>-- cut -----------------------------------------
152	>> >># SMTPD SERVER CONTROLS
153	>> >>smtpd_sasl_auth_enable = yes
154	>> >>smtpd_sasl_security_options = noanonymous, noplaintext
155	>> >>broken_sasl_auth_clients = yes
156	>> >>smtpd_sasl_local_domain =
157	>> >>smtpd_recipient_restrictions = permit_sasl_authenticated,
158	>> >>permit_mynetworks, reject_unauth_destination
159	>> >>
160	>> >>smtpd_use_tls = yes
161	>> >>smtpd_tls_auth_only = yes
162	>> >>smtpd_tls_key_file = /etc/postfix/cacert/kenny.key
163	>> >>smtpd_tls_cert_file = /etc/postfix/cacert/kenny.pem
164	>> >>smtpd_tls_CAfile = /etc/postfix/cacert/cacert.pem
165	>> >>smtpd_tls_loglevel = 1
166	>> >>smtpd_tls_received_header = yes
167	>> >>smtpd_tls_session_cache_timeout = 3600s
168	>> >>tls_random_source = dev:/dev/urandom
169	>> >>-- cut -----------------------------------------
170	>> >>
171	>> >>TLS is enabled, but smtpd_tls_auth_only will only permit
172	>> >>authorization from clients who have issued (and successfully
173	>> >>negotiated) the STARTTLS comment.
174	>> >>
175	>> >>Also, you can define what methods Postfix accepts by modifying the
176	>> >>smtp_sasl_security_options directive.
177	>> >>
178	>> >>HTH,
179	>> >>
180	>> >>--
181	>> >> Jonathan Wright ~ mail at djnauk.co.uk
182	>> >> ~ www.djnauk.co.uk
183	>> >>--
184	>> >> 2.6.12-gentoo-r6-djnauk-b2 AMD Athlon(tm) XP 2100+
185	>> >> up 5 days, 3:02, 4 users, load average: 0.72, 0.97, 0.71
186	>> >>--
187	>> >> "I don't mind straight people as long as they act gay in
188	>> >> public."
189	>> >>
190	>> >> ~ T-shirt worn by Dennis Rodman of the Chicago Bulls
191	>> >>--
192	>> >>gentoo-security@g.o mailing list
193	>> >
194	>> >
195	>> > Joe Strusz
196	>> >
197	>> > IT Assistant
198	>> > Oxford Publishing, Inc.
199	>> > 307 West Jackson Avenue
200	>> > Oxford, MS 38655-2154
201	>> > 800-247-3881
202	>> > 662-236-5510x40
203	>> > jstrusz@×××××.com
204	>> > http://www.nightclub.com
205	>> >
206	>> >
207	>> > --
208	>> > gentoo-security@g.o mailing list
209	>> >
210	>> >
211	>>
212	>>
213	>>--
214	>>------------------------------------------------------------------------
215	>>\| Joerg Mertin : smurphy@××××××.org (Home)\|
216	>>\| in Forchheim/Germany : smurphy@×××××.de (Alt1)\|
217	>>\| Stardust's LiNUX System : \|
218	>>\| Web: http://www.solsys.org \|
219	>>------------------------------------------------------------------------
220	>>PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
221	>>
222	>>
223	>>
224	>>--
225	>>gentoo-security@g.o mailing list
226	>
227	>
228	> Joe Strusz
229	>
230	> IT Assistant
231	> Oxford Publishing, Inc.
232	> 307 West Jackson Avenue
233	> Oxford, MS 38655-2154
234	> 800-247-3881
235	> 662-236-5510x40
236	> jstrusz@×××××.com
237	> http://www.nightclub.com
238	>
239	>
240	> --
241	> gentoo-security@g.o mailing list
242	>
243	>
244
245
246	--
247	------------------------------------------------------------------------
248	\| Joerg Mertin : smurphy@××××××.org (Home)\|
249	\| in Forchheim/Germany : smurphy@×××××.de (Alt1)\|
250	\| Stardust's LiNUX System : \|
251	\| Web: http://www.solsys.org \|
252	------------------------------------------------------------------------
253	PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
254
255
256
257	--
258	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security