1 (edited by Thierry 2015-11-09 13:39:46)

Topic: [Resolved] SSL-secured connection and authentication

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 9.0.2
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hi,

To be able to use the secured smtp connection between my email server and my ISP (smtpa.dmain.tld port 465)  I need to change my postfix config.
Where / How to add a login/passwd for the authentication .... How to implement this ?
Thx

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: [Resolved] SSL-secured connection and authentication

We have a document for you:
http://www.iredmail.org/docs/enable.smtps.html

3 (edited by Thierry 2015-11-07 14:56:00)

Re: [Resolved] SSL-secured connection and authentication

Hi,
Thx a lot, work in progress wink
But I still need to auth to my ISP smtpa with the login/passwd .... Any idea ?
Do I need to use "sasl2" ?
Thx

4

Re: [Resolved] SSL-secured connection and authentication

Try this:

*) Append below settings in /etc/postfix/main.cf:

relayhost = [relay_server]:25
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_security_options = noanonymous

And this is the content in /etc/postfix/sasl_password:

relay_server user:password

Run postmap and restart Postfix service:

postmap hash:/etc/postfix/sasl_password
service postfix restart

5

Re: [Resolved] SSL-secured connection and authentication

It should be: relayhost = [relay_server]:25 or 465 ?

I have done it with port 465:

zobe postfix/smtpd[20688]: 709F020128: client=unknown[192.168.x.x], sasl_method=LOGIN, sasl_username=user@domain.ltd
....

zobe postfix/smtp[20712]: CLIENT wrappermode (port smtps/465) is unimplemented
zobe postfix/smtp[20712]: instead, send to (port submission/587) with STARTTLS

....

zobe postfix/smtp[20712]: 53EE620129: to=<target@gmail.com>, relay=smtpa.kolumbus.fi[193.229.5.16]:465, delay=56, delays=0.03/0.03/56/0, dsn=4.4.2, status=deferred (lost connection with smtpa.kolumbus.fi[193.229.5.16] while receiving the initial server greeting)

First line: the sasl_username is not the one I have add in my sasl_password file (??)

Thx

6

Re: [Resolved] SSL-secured connection and authentication

Please use port 25 instead of 465.

7 (edited by Thierry 2015-11-08 22:12:15)

Re: [Resolved] SSL-secured connection and authentication

made the change to 25

but:

zobe postfix/smtp[21941]: 3B1C820127: to=<target@gmail.com>, relay=smtpa.kolumbus.fi[193.229.5.16]:25, delay=1.3, delays=0.05/0/0.13/1.1, dsn=5.7.1, status=bounced (host smtpa.kolumbus.fi[193.229.5.16] said: 554 5.7.1 <xx.xx.xx.xx.elisa-laajakaista.fi[xx.xx.xx.xx]>: Client host rejected: You must authenticate (in reply to RCPT TO command))

I have made tests with my Thunderbird, to make it working directly without passing through my smtp server, I had to:

config smtp:

- server name: smtpa.kolumbus.fi
- port: 465

connection security: SSL/TLS
authentication passwd: Normal
user name: username@domain.ltd

Working with this config ...

8

Re: [Resolved] SSL-secured connection and authentication

*) Did you follow my post #4 to configure Postfix? Show me output of 'postconf -n'.
*) You're configuring MTA-to-MTA communication, not MUA (Thunderbird) -to-MTA. So Thunderbird setting is not ok for Postfix.

9

Re: [Resolved] SSL-secured connection and authentication

1) Yes indeed
2) Yes you are right .... Just show that the auth from my side was working

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.mydomain.tld
myhostname = mail.mydomain.tld
mynetworks = 127.0.0.1
mynetworks_style = host
myorigin = mail.mydomain.tld
non_smtpd_milters = inet:localhost:54321
policy-spf_time_limit = 3600s
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [smtpa.kolumbus.fi]:25
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_concurrency_limit = 10
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_milters = inet:localhost:54321
smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/GandiStandardSSLCA2.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

10

Re: [Resolved] SSL-secured connection and authentication

Do you have correct setting in /etc/postfix/sasl_password? What's the new error now?

11 (edited by Thierry 2015-11-09 13:39:26)

Re: [Resolved] SSL-secured connection and authentication

Working ... Thx